Bug #48031 mysql_secure_installation -- bash bug regarding passwords with special chars
Submitted: 14 Oct 2009 0:33 Modified: 12 Mar 2010 15:43
Reporter: C Anthony Risinger Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Installing Severity:S3 (Non-critical)
Version:5.0, 5.1 OS:Any
Assigned to: Timothy Smith CPU Architecture:Any
Tags: install, mysql_secure_installation
Triage: Triaged: D3 (Medium)

[14 Oct 2009 0:33] C Anthony Risinger
Description:
i ran:

/usr/bin/mysql_secure_installation

just after installing, and set a password with a $ sign and a # sign.  after updating the script failed with an auth error:

Set root password? [Y/n] y
New password:             
Re-enter new password:    
Password updated successfully!
Reloading privilege tables..  
 ... Success!                 

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for    
them.  This is intended only for testing, and to make the installation 
go a bit smoother.  You should remove them before moving into a        
production environment.                                                

Remove anonymous users? [Y/n] y
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
 ... Failed!

How to repeat:
1) run /usr/bin/mysql_secure_installation
2) set a root password with a $ or # (it was probably the $ that did it)
3) try to continue

Suggested fix:
in /usr/bin/mysql_secure_installation, change line 50 from:

    echo "password=$rootpass" >>$config

to:

    echo "password='$rootpass'" >>$config

just adding single quotes around $rootpass fixed this issue for me
[14 Oct 2009 3:27] Valeriy Kravchuk
Thank you for the problem report and fix suggested,
[30 Oct 2009 22:16] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/88817

2834 Timothy Smith	2009-10-30
      Bug#48031: mysql_secure_installation -- bash bug regarding passwords with
      special chars
      
      This script failed when the user tried passwords with multiple spaces, \, # or
      ' characters.  Now proper escaping and quoting is used in all contexts.
[30 Oct 2009 23:31] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/88819

2835 Timothy Smith	2009-10-30
      Bug#48031: mysql_secure_installation -- bash bug regarding passwords with
      special chars
      
      Fix the escaping / quoting problem in the Perl version of this script, too.
      The Perl version is packaged with the Windows binaries and suffered from
      most of the same problems as the sh version.
[30 Oct 2009 23:35] Timothy Smith
Both of the previous two commits are relevant here; one fixes the Bourne shell script, the second fixes the Perl script.
[2 Nov 2009 9:19] Bjørn Munch
OK, perhaps you should explain exactly what basic_single_escape does, esp. the sh version is a bit cryptic. :-)

Also, what's that commented-out sed line appearing twice?
[3 Nov 2009 10:14] Joerg Bruehe
I don't yet understand the shell version of "basic_single_escape".
To me, the square brackets for the character class look unbalanced,
and the nesting of single and double quotes seems not to fit into a character class.

The Perl version looks correct;
using a character class with a single element (the escaped single quote) might be overkill but allows future expansion should it be needed.
[3 Nov 2009 10:22] Bjørn Munch
Comment to last comment: that character class actually consists of backslash and single quote, the quote is not escaped in this context.
[3 Nov 2009 20:53] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/89222

2836 Timothy Smith	2009-11-03
      Bug#48031: mysql_secure_installation -- bash bug regarding passwords with
        special chars
      
      This script failed when the user tried passwords with multiple spaces, \, # or
      ' characters.  Now proper escaping and quoting is used in all contexts.
      
      This problem occurs in the Perl version of this script, too, so fix it in both
      places.
[3 Nov 2009 21:05] Bjørn Munch
I'm OK with this now.
[4 Nov 2009 9:29] Joerg Bruehe
The comments are very helpful - approved.
[2 Dec 2009 8:00] Bugs System
Pushed into 5.0.89 (revid:joro@sun.com-20091202075830-mzl79q7mc1v72pf1) (version source revid:timothy.smith@sun.com-20091104210831-snletv3dgukwjq64) (merge vers: 5.0.88) (pib:13)
[2 Dec 2009 8:03] Bugs System
Pushed into 5.1.42 (revid:joro@sun.com-20091202080033-mndu4sxwx19lz2zs) (version source revid:kristofer.pettersson@sun.com-20091109223504-xvwgsdqiyuve6frt) (merge vers: 5.1.41) (pib:13)
[2 Dec 2009 14:37] MC Brown
A note has been added to the 5.0.89 and 5.1.42 changelog:

When running mysql_secure_installation, the command would fail if the root password contained multiple spaces, \, # or quote characters.
[16 Dec 2009 8:40] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091216083311-xorsasf5kopjxshf) (version source revid:alik@sun.com-20091214191830-wznm8245ku8xo702) (merge vers: 6.0.14-alpha) (pib:14)
[16 Dec 2009 8:47] Bugs System
Pushed into 5.5.0-beta (revid:alik@sun.com-20091216082430-s0gtzibcgkv4pqul) (version source revid:alexey.kopytov@sun.com-20091124081906-6pqi7e7sajimog71) (merge vers: 5.5.0-beta) (pib:14)
[16 Dec 2009 8:54] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20091216083231-rp8ecpnvkkbhtb27) (version source revid:alik@sun.com-20091212203859-fx4rx5uab47wwuzd) (merge vers: 5.6.0-beta) (pib:14)
[17 Dec 2009 10:53] MC Brown
Changelog entries added to the 5.5.1 and 6.0.14
[23 Dec 2009 10:05] Sveta Smirnova
Probably duplicate bug #49848
[12 Mar 2010 14:16] Bugs System
Pushed into 5.1.44-ndb-7.0.14 (revid:jonas@mysql.com-20100312135944-t0z8s1da2orvl66x) (version source revid:jonas@mysql.com-20100312115609-woou0te4a6s4ae9y) (merge vers: 5.1.44-ndb-7.0.14) (pib:16)
[12 Mar 2010 14:32] Bugs System
Pushed into 5.1.44-ndb-6.2.19 (revid:jonas@mysql.com-20100312134846-tuqhd9w3tv4xgl3d) (version source revid:jonas@mysql.com-20100312060623-mx6407w2vx76h3by) (merge vers: 5.1.44-ndb-6.2.19) (pib:16)
[12 Mar 2010 14:46] MC Brown
No changelog entry required (already noted in earlier changelog)
[12 Mar 2010 14:48] Bugs System
Pushed into 5.1.44-ndb-6.3.33 (revid:jonas@mysql.com-20100312135724-xcw8vw2lu3mijrhn) (version source revid:jonas@mysql.com-20100312103652-snkltsd197l7q2yg) (merge vers: 5.1.44-ndb-6.3.33) (pib:16)
[12 Mar 2010 15:43] MC Brown
No changelog entry needed.