2

With a fresh (but old) install of Ubuntu and MySQL, I found I could access the MySQL via command line client without being asked for any user or password.

This bothered me as the default situation, and I tried to investigate it. Logging in as root required the root password. But logging in without specifying the user (ie, just typing mysql on the command line) asked me for neither user nor password.

I think I've tracked it down to the user debian-sys-maint, which appears to have full MySQL permissions on the one hand, and is also the default client user as defined in /etc/mysql/debian.cnf on the other.

My first instinct was to get rid of the user entirely, because this seemed a security hole to me, but upon reading up, including the posts linked below, it seems that debian-sys-maint is needed.

So my plan is to try the following:

REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'debian-sys-maint';
GRANT RELOAD on *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY 'xxxxxx';
FLUSH PRIVILEGES;

Can anyone comment on this as the recommended / expected / correct way to secure a default MySQL installation?

Should I also alter /etc/mysql/debian.cnf to remove this section?

[client]
host     = localhost
user     = debian-sys-maint
password = xxxxxx
socket   = /var/run/mysqld/mysqld.sock

(It does warn: # Automatically generated for Debian scripts. DO NOT TOUCH!)

I intend to replace it with my own ~/.my.cnf client section anyway.

Update: The permissions on /etc/mysql/debian.cnf are:

-rw------- 1 root root 312 2012-05-20 23:07 /etc/mysql/debian.cnf

References:

Community
  • 1
Stewart
  • 203
  • 3
  • 12
  • 2
    The simple fact is, that if a person has root-access on host system, then the user has root access to the Mysql server. It is trivial bypass mysql authentication. It just takes restarting the mysql server with the correct command line options. So stop, and think about what threats you are trying to protect against here. Are you worried about the system root user, doing things the system root user has privileges to do already? Are you worried about the permissions being set wrong on the debian.cnf file? Or what. – Zoredache Aug 11 '14 at 23:26
  • 1
    Did you log in into mysql via root-account or from a regular unprivileged useraccount? The latter would be a huge security risk and can by no means be the default behaviour. However, the debian-sys-maint user is used in mysql to roll the logs and therefore should not be deleted. Don't remove that section in the cnf file as this will prevent the user from logging into mysql. Revoking the priviliges is an option, however consider that if you do that you will have no fallback if you ever lose the mysql-root-password (shouldn't happen, just saying). – Broco Aug 11 '14 at 23:37
  • @Zoredache - It's a good question, what am I protecting against. I guess it was my initial shock - I had just installed MySQL, set a root password during the install, and suddenly I could login without a password, and had no idea how or who, and immediately felt "That's not right." – Stewart Aug 12 '14 at 04:20
  • @Broco - On Ubuntu, pretty much everything is done from a regular account, and with root actions being done using sudo. I logged into MySQL from a regular account, without being asked user / password. I believe that it was the debian-sys-maint user that I was going in as. – Stewart Aug 12 '14 at 04:22
  • Ok, so your questions got me thinking. I checked select user() and found it may not be anything to do with debian-sys-maint at all. Apparently I'm logging in as stewart@localhost - but there is no user stewart in the table user. I do not understand this at all. – Stewart Aug 12 '14 at 04:33
  • Does the stewart@localhost user have access to any actual databases? – andol Aug 12 '14 at 06:34
  • Yes. information_schema. But the point is, why does the user exist? I thought MySQL users were separate from OS system accounts. – Stewart Aug 12 '14 at 07:21
  • Based on this, I've asked a fresh question: http://serverfault.com/questions/619775/default-user-for-mysql – Stewart Aug 12 '14 at 08:21
  • Notice that users on the Linux machines has nothing to do with users in MySQL. The user debian-sys-maint is used when shuting down the server and checking that there are a root user in MySQL when starting MySQL and other stuff. Don't remove it, but protect the file and your ordinary accounts with good passwords or even better, with SSH key login and disable login with passwords in `ssh – Anders Jan 02 '15 at 04:50
  • Have a look at /usr/share/doc/mysql-server-5.5/README.Debian.gz for more information that any MySQL administrator on a Debian or Debian based system should know. – Anders Jan 02 '15 at 04:53

1 Answers1

2

The answer to this is that the debian-sys-maint account is a red-herring.

The phenomena I was looking at was a MySQL "anonymous" user.

This is answered by these 2 questions, as well as my own that I posted yesterday:

Community
  • 1
Stewart
  • 203
  • 3
  • 12