Description:
The systemd service of package mysql-community-server in version 5.7.17-1debian8 invokes a sanity check before starting the real mysqld instance including configuration of /etc/mysql.
This sanity check does not work when datadir differs from default!
Here my issue:
I was reinitializing an already configured mysqld under debian jessie.
The datadir differs to default. Mysqld was started and initialized the datadir correctly at first boot. At second boot this code dropped my root password and set auth_socket as authentication plugin which is not allowed by policy inside the environment infrastructure here:
/usr/share/mysql/mysql-systemd-start:
if [ ! "$(ls -A ${MYSQLDATA}/mysql)" ];
then
SQL=$(mktemp -u ${MYSQLFILES}/XXXXXXXXXX)
install /dev/null -m0600 -omysql -gmysql "${SQL}"
cat << EOF > ${SQL}
USE mysql;
INSTALL PLUGIN auth_socket SONAME 'auth_socket.so';
ALTER USER 'root'@'localhost' IDENTIFIED WITH 'auth_socket';
SHUTDOWN;
EOF
While another systemd service script written and delivered inside the same debian package fulfills the same approach without hardcoding:
-- /etc/init.d/mysql --
MYSQLDATA=$(get_mysql_option mysqld datadir "/var/lib/mysql")
This bug is misslieading and security relevant. Also this bug is destroying reboot safity.
dpkg -l |grep mysql |grep ^ii
ii libdbd-mysql-perl 4.028-2+deb8u2 amd64 Perl5 database interface to the MySQL database
ii libmysqlclient18:amd64 5.5.53-0+deb8u1 amd64 MySQL database client library
ii mysql-client 5.7.17-1debian8 amd64 MySQL Client meta package depending on latest version
ii mysql-common 5.7.17-1debian8 amd64 MySQL Common
ii mysql-community-client 5.7.17-1debian8 amd64 MySQL Client
ii mysql-community-server 5.7.17-1debian8 amd64 MySQL Server
ii php5-mysql 5.6.29+dfsg-0+deb8u1 amd64 MySQL module for php5
How to repeat:
1. Provided you got a running mysql installation of debian jessie using packages from mysql repository (http://repo.mysql.com/apt/debian jessie) and you want to move the datadir into a special location (i guess this is easier to reproduce then my scenario):
2. shutdown mysql:
sudo systemctl stop mysql
3. create a new datadir:
install -o mysql -g mysql -d /var/lib/mysql/data
4. configure mysql to use new datadir:
sudo vim /etc/mysql/mysql.conf.d/mysqld.cnf
-datadir = /var/lib/mysql
+datadir = /var/lib/mysql/data
5. mv your data to the new directory
mv /var/lib/mysql/{mysql,YourDataBasses,..} /var/lib/mysql/data
6. restart mysqld and see the error log
sudo systemctl start mysql && sudo tail -f /var/log/mysql/error.log
You will see that mysql provides an non default socket which you can use to connect, but your root password was deleted!
Suggested fix:
use something like this inside the bash code of /usr/share/mysql/mysql-systemd-start:
MYSQLDATA=$(get_mysql_option mysqld datadir "/var/lib/mysql")
Description: The systemd service of package mysql-community-server in version 5.7.17-1debian8 invokes a sanity check before starting the real mysqld instance including configuration of /etc/mysql. This sanity check does not work when datadir differs from default! Here my issue: I was reinitializing an already configured mysqld under debian jessie. The datadir differs to default. Mysqld was started and initialized the datadir correctly at first boot. At second boot this code dropped my root password and set auth_socket as authentication plugin which is not allowed by policy inside the environment infrastructure here: /usr/share/mysql/mysql-systemd-start: if [ ! "$(ls -A ${MYSQLDATA}/mysql)" ]; then SQL=$(mktemp -u ${MYSQLFILES}/XXXXXXXXXX) install /dev/null -m0600 -omysql -gmysql "${SQL}" cat << EOF > ${SQL} USE mysql; INSTALL PLUGIN auth_socket SONAME 'auth_socket.so'; ALTER USER 'root'@'localhost' IDENTIFIED WITH 'auth_socket'; SHUTDOWN; EOF While another systemd service script written and delivered inside the same debian package fulfills the same approach without hardcoding: -- /etc/init.d/mysql -- MYSQLDATA=$(get_mysql_option mysqld datadir "/var/lib/mysql") This bug is misslieading and security relevant. Also this bug is destroying reboot safity. dpkg -l |grep mysql |grep ^ii ii libdbd-mysql-perl 4.028-2+deb8u2 amd64 Perl5 database interface to the MySQL database ii libmysqlclient18:amd64 5.5.53-0+deb8u1 amd64 MySQL database client library ii mysql-client 5.7.17-1debian8 amd64 MySQL Client meta package depending on latest version ii mysql-common 5.7.17-1debian8 amd64 MySQL Common ii mysql-community-client 5.7.17-1debian8 amd64 MySQL Client ii mysql-community-server 5.7.17-1debian8 amd64 MySQL Server ii php5-mysql 5.6.29+dfsg-0+deb8u1 amd64 MySQL module for php5 How to repeat: 1. Provided you got a running mysql installation of debian jessie using packages from mysql repository (http://repo.mysql.com/apt/debian jessie) and you want to move the datadir into a special location (i guess this is easier to reproduce then my scenario): 2. shutdown mysql: sudo systemctl stop mysql 3. create a new datadir: install -o mysql -g mysql -d /var/lib/mysql/data 4. configure mysql to use new datadir: sudo vim /etc/mysql/mysql.conf.d/mysqld.cnf -datadir = /var/lib/mysql +datadir = /var/lib/mysql/data 5. mv your data to the new directory mv /var/lib/mysql/{mysql,YourDataBasses,..} /var/lib/mysql/data 6. restart mysqld and see the error log sudo systemctl start mysql && sudo tail -f /var/log/mysql/error.log You will see that mysql provides an non default socket which you can use to connect, but your root password was deleted! Suggested fix: use something like this inside the bash code of /usr/share/mysql/mysql-systemd-start: MYSQLDATA=$(get_mysql_option mysqld datadir "/var/lib/mysql")