Hello, playing around with the latest MySQL from Rawhide, I noticed, that there is a bug or a problem in the new MySQL init script. My "problem" was, that I set a password to the MySQL user 'root' and so the original new init script fails. I posted that at bugzilla, my posting is closed now, because supposedly all works fine and it isn't a problem... I personally think that's a brashness! It is a pity, that the bugzilla report only can be read by the group 'rhnpm', so I was so free to post it here again ;-) BTW: The original report was: #108779 If I read all correctly you don't need a password for the MySQL user 'root' - that's fine and it's no security hole - really nice! :-/ On a test system installed Fedora Core 1 with the actual mysql - NOTHING changed: mysql> SELECT HOST,USER,PASSWORD FROM user; +-------------+------+----------+ | HOST | USER | PASSWORD | +-------------+------+----------+ | localhost | root | | | sirendipity | root | | | localhost | | | | sirendipity | | | +-------------+------+----------+ 4 rows in set (0.01 sec) $ netstat -alpen | grep mysql tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 0 346662 19079/mysqld It's good to know, that here isn't any security problem, too. 10.0.0.2 = sirendipity # mysql -h 10.0.0.2 -u root Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 to server version: 3.23.58 So root has still to set a password as you can read it at SecurityFocus: http://www.securityfocus.com/infocus/1726 I actually interpret the current default configuration of mysql and the init script absolutely as misconfiguration. In my eyes NOTHING is okay - that doesn't fit to the other Red Hat security patches and settings! So what's up?! Could someone explain me, why with my message so wrongly did to me? --- snipp from Bugzilla #108779 --- Opened by (Robert Scheck) on 2003-11-01 16:56 Description of problem, how reproducible and steps to reproduce: # service mysqld restart Stopping MySQL: [ OK ] Timeout error occurred trying to start MySQL Daemon. Starting MySQL: [FAILED] # It displays only an error, but mysqld lives! Version-Release number of selected component (if applicable): mysql-3.23.58-4 Actual results: If I do a mysqladmin ping at my system I get the following: # mysqladmin ping mysqladmin: connect to server at 'localhost' failed error: 'Access denied for user: 'root@localhost' (Using password: NO)' # I've to use a password: # mysqladmin -u root -p ping Enter password: mysqld is alive # Or I've to use the MySQL user: # mysqladmin -u mysqld ping mysqld is alive # Expected results and additional info: The error is caused by that section: > # Spin for a maximum of ten seconds waiting for the server to come up > if [ $ret -eq 0 ]; then > for x in 1 2 3 4 5 6 7 8 9 10; do > if [ -n "`/usr/bin/mysqladmin ping 2> /dev/null`" ]; then > break; > else > sleep 1; > fi > done > if !([ -n "`/usr/bin/mysqladmin ping 2> /dev/null`" ]); then > echo "Timeout error occurred trying to start MySQL Daemon." > action $"Starting $prog: " /bin/false > else > action $"Starting $prog: " /bin/true > fi > else > action $"Starting $prog: " /bin/false > fi You can't do that so - you've seen it above! I added a new init script solving that problem. And I think it's ugly to use "2> /dev/null" at a Bash script... --- Additional Comment #1 From Robert Scheck on 2003-11-01 17:02 Created an attachment (id=95652) Fix for mysqld for /etc/init.d --- Additional Comment #2 From Kim Ho on 2003-11-03 11:20 I am having problems reproducing this problem. [root@tomaluk init.d]# service mysqld start Initializing MySQL database: [ OK ] Starting MySQL: [ OK ] [root@tomaluk init.d]# mysqladmin ping mysqld is alive [root@tomaluk init.d]# [root@tomaluk init.d]# service mysqld restart Stopping MySQL: [ OK ] Starting MySQL: [ OK ] [root@tomaluk init.d]# service mysqld stop Stopping MySQL: [ OK ] [root@tomaluk init.d]# The only way I was able to reproduce it was: mysql> select user,host from user; +------+----------------------------+ | user | host | +------+----------------------------+ | | localhost | | root | localhost | | | tomaluk.toronto.redhat.com | | root | tomaluk.toronto.redhat.com | +------+----------------------------+ 4 rows in set (0.00 sec) mysql> delete from user where user=''; Query OK, 2 rows affected (0.00 sec) mysql> \q Bye [root@tomaluk init.d]# mysqladmin ping mysqld is alive [root@tomaluk init.d]# service mysqld restart Stopping MySQL: [ OK ] Timeout error occurred trying to start MySQL Daemon. Starting MySQL: [FAILED] [root@tomaluk init.d]# mysqladmin -u root ping mysqld is alive Please let me know if the users in mysql have been changed. (e.g. the removal of anonymous users) --- Additional Comment #3 From Robert Scheck on 2003-11-03 11:37 mysql> select user,host from user; +---------+-----------+ | user | host | +---------+-----------+ | root | hurricane | | | localhost | +---------+-----------+ Well, I only gave root a password... And it's correct to give mysql-root a password, because that is explicit written in the mysql documentation! --- Additional Comment #4 From Robert Scheck on 2003-11-03 11:45 Have a look to the documentation: http://www.mysql.de/doc/en/Default_privileges.html --- Additional Comment #5 From Kim Ho on 2003-11-03 14:05 The defaults work fine. If you change the settings, then you will have to make the appropriate changes in the scripts. --- Additional Comment #6 From Robert Scheck on 2003-11-03 15:38 The default works fine, as long as the admin doesn't change the password for the mysql root user. But as described in the MySQL admin documentation, everybody _must_ change this, in order to close a security hole: > Because your installation is initially wide open, one of the first > things you should do is specify a password for the MySQL root user. > You can do this as follows (note that you specify the password > using the PASSWORD() function): > Try mysql -u root. If you are able to connect successfully to the > server without being asked for a password, you have problems. > Anyone can connect to your MySQL server as the MySQL root user with > full privileges! Review the MySQL installation instructions, paying > particular attention to the item about setting a root password. One solution would be to create a "dummy" mysql user restricted to localhost and with no rights. Another solution would be to remove the new changes and to live without a check whether the mysql server runs or not. And could you please remove the binding in bugzilla to the group rhnpm? Thank you very much. I think that's interesting for other users, too. --- Additional Comment #7 From Kim Ho on 2003-11-03 15:54 No.. if everyone _HAS TO_ change this, it would have been part of setting up MySQL. It is not part of the defaults of MySQL and therefore, we will not be changing it. --- snapp from Bugzilla #108779 --- Yours sincerly, Robert
