Ubuntu
mysql-5.7 package

mysql_secure_installation/mysqladmin cannot set password when auth_socket is enabled

Bug #1610574 reported by Daniel Barrett
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
mysql-5.7 (Ubuntu)
Triaged
Low
Unassigned

Bug Description

If MySQL 5.7 is installed with an empty password, UNIX socket authentication will be enabled for the root user. If the user then tries to set a root password using mysql_secure_installation or mysqladmin, the command will appear to succeed, but the user will still only allow access through socket authentication. This is a bug in mysqladmin/mysql_secure_installation.

Upstream bug: http://bugs.mysql.com/bug.php?id=81965

To reproduce:

1. sudo apt-get install mysql-server (noninteractive or enter empty password)
2. sudo mysqladmin -uroot password 'mypass' (seems to succeed)
3. mysql -uroot -pmypass (access denied)

Workarounds:

a) Set plugin after installation:
User needs to manually set auth plugin back to password with an sql:
1. Log in with sudo mysql
2. run «ALTER USER 'root'@'localhost' IDENTIFIED WITH 'mysql_native_password' BY 'mypass';»

Or from command line:
sudo mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH 'mysql_native_password' BY 'mypass';"

b) Set password before installation:
It's possible to script the answer to the root password query using debconf-set-selections as shown below
1. debconf-set-selections <<EOT
mysql-server-5.7 mysql-server/root_password password mypass
mysql-server-5.7 mysql-server/root_password_again password mypass
EOT
2. apt-get install mysql-server
---
Other people have encountered the same problem:
http://askubuntu.com/questions/766334/cant-login-as-mysql-user-root-from-normal-user-account-in-ubuntu-16-04

See original description
Tags: bionic
Robie Basak (racb)
Changed in mysql-5.7 (Ubuntu):
importance: Undecided → High
Revision history for this message
Daniel Barrett (dbarrett-m) wrote :

FYI, if you have any difficulty reproducing this issue, I actually installed the mysql-server package using Puppet (version 3.8.5), not manually with apt-get. The puppet manifest file contains simply:

package { 'mysql-server':
   ensure => 'installed',
}
To run it, simply place the above lines into a file (say) "build.pp" and run this puppet command:

$ sudo puppet apply build.pp

I suspect this may be relevant.

description: updated
Revision history for this message
Lars Tangvald (lars-tangvald) wrote :

This is related to a bug in mysqladmin failing to properly set the password for an account with auth_socket enabled: http://bugs.mysql.com/bug.php?id=81965 (I'm not sure if secure_installation uses mysqladmin or if it's just the same logic).

When installing the package with an empty root password, the root user will have unix socket authentication enabled, so only the system root user can log in as root. To set a password, the auth plugin must also be reset to mysql_native_password, i.e. with «ALTER USER 'root'@'localhost' IDENTIFIED BY 'passphrase' WITH 'mysql_native_password'

After running secure_installation, can you still log in with «sudo mysql» with no password or user specified?

Also note that mysql_secure_installation is largely redundant for a fresh 5.7 installation; The only feature 5.7 doesn't set by default is the password validation plugin.

Revision history for this message
Daniel Barrett (dbarrett-m) wrote :

>After running secure_installation, can you still log in with «sudo
>mysql» with no password or user specified?

I succeeded with "sudo mysql -u root". I did not try it with no user specified.

Revision history for this message
Lars Tangvald (lars-tangvald) wrote :

If you don't specify the user it'll just use the username you run the command as (so root, with sudo).

As noted you should be able to work around the bug with ALTER USER, i.e. running:
sudo mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH 'mysql_native_password' BY 'passphrase';"
on the command line

Lars Tangvald (lars-tangvald)
summary: - mysql_secure_installation locks out root database user
+ mysql_secure_installation/mysqladmin cannot set password when
+ auth_socket is enabled
Lars Tangvald (lars-tangvald)
description: updated
description: updated
Lars Tangvald (lars-tangvald)
Changed in mysql-5.7 (Ubuntu):
status: New → Confirmed
Revision history for this message
Robie Basak (racb) wrote :

This bug is tracked upstream. Importance: Low for Ubuntu - we'll fix when upstream does.

Changed in mysql-5.7 (Ubuntu):
importance: High → Low
status: Confirmed → Triaged
Colin Law (colin-law)
tags: added: bionic
Revision history for this message
Colin Law (colin-law) wrote :

For Ubuntu 18.04 the default installation of mysql-server has socket authentication enabled (if I understand correctly) so it is not possible to set the root pwd using mysql_secure_installation. This is most unfortunate as there is a great deal of apparently authoritative documentation out there that says this is the way to do it. For example
https://dev.mysql.com/doc/refman/5.7/en/mysql-secure-installation.html
In addition there are very few references to the fact that instead one has to use the workaround in the bug description.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

After all this time the upstream case isn't resolved yet.
@Lars - is there something we/you could do to get back some traction on it - actually is it even reasonable in 2022 and mysql-8.0 times?

Because without that there is not much we can do for Ubuntu and I'm afraid that bug will just stay open forever which isn't helpful either :-/

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.