Ubuntu
mysql-5.7 package

Upgrading from MySQL 5.7.36 to 5.7.39 replaces root's auth_socket with mysql_native_password and a simple password

Bug #1988200 reported by Blum Bluntu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mysql-5.7 (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

I'm on Ubuntu 18.04.6.

Today, after doing apt upgrade, my MySQL server was upgraded from 5.7.36-0ubuntu0.18.04.1 to 5.7.39-0ubuntu0.18.04.2.
Before the upgrade I had my MySQL 'root' user's plugin set to 'auth_socket' and 'authentication_string'set to empty, which allowed passwordless login from system root to MySQL root.
However the upgrade changed the MySQL 'root' user's plugin to 'mysql_native_password' and added an 'authentication_string'.

After decrypting the new password hash, I discovered it's 'root'.

This is potentially dangerous.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thank you for taking the time to file a bug report.

I tried reproducing this locally but failed. Here's what I did:

$ lxc launch ubuntu:bionic test-mysql
$ lxc shell test-mysql
# apt update
# cd /tmp
# wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/22324306/+files/mysql-server-core-5.7_5.7.36-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/22324306/+files/mysql-server-5.7_5.7.36-0ubuntu0.18.04.1_amd64.deb
# apt install ./mysql-server*.deb
# cat >> /etc/mysql/mysql.conf.d/mysqld.cnf << __EOF__
plugin-load-add=auth_socket.so
auth_socket=FORCE_PLUS_PERMANENT
__EOF__
# systemctl restart mysql.service
# mysql -uroot -e 'select user,plugin,authentication_string from mysql.user;'
+------------------+-----------------------+-------------------------------------------+
| user | plugin | authentication_string |
 +------------------+-----------------------+-------------------------------------------+
| root | auth_socket | |
| mysql.session | mysql_native_password | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| mysql.sys | mysql_native_password | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| debian-sys-maint | mysql_native_password | *BAC57F6E71D415AD367BD54FBE913C5B896313AD |
 +------------------+-----------------------+-------------------------------------------+
# apt install mysql-server-5.7 --only-upgrade -y
...
# mysql -uroot -e 'select user,plugin,authentication_string from mysql.user;'
+------------------+-----------------------+-------------------------------------------+
| user | plugin | authentication_string |
 +------------------+-----------------------+-------------------------------------------+
| root | auth_socket | |
| mysql.session | mysql_native_password | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| mysql.sys | mysql_native_password | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| debian-sys-maint | mysql_native_password | *BAC57F6E71D415AD367BD54FBE913C5B896313AD |
 +------------------+-----------------------+-------------------------------------------+

As you can see, the value of 'authentication_string' is still empty, and I can successfully login as root without providing a password.

Since there is not enough information in your report to begin triage or to
differentiate between a local configuration problem and a bug in Ubuntu, I
am marking this bug as "Incomplete". We would be grateful if you would:
provide a more complete description of the problem, explain why you
believe this is a bug in Ubuntu rather than a problem specific to your
system, and then change the bug status back to "New".

For local configuration issues, you can find assistance here:
http://www.ubuntu.com/support/community

Changed in mysql-5.7 (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for mysql-5.7 (Ubuntu) because there has been no activity for 60 days.]

Changed in mysql-5.7 (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.