Bug #91270 mysql_secure_installation should not find password in ~/.mysql_secret any longer
Submitted: 15 Jun 2018 2:29 Modified: 21 Dec 2018 0:37
Reporter: Mikiya Okuno Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:8.0.11 OS:Any
Assigned to: CPU Architecture:Any

[15 Jun 2018 2:29] Mikiya Okuno
Description:
mysql_secure_installation command attempts to read password from ~/.mysql_secret. This file is generated by mysql_install_db command on MySQL 5.6 and MySQL 5.7 only. As of MySQL 8.0 series, mysql_install_db is removed. So, the file is not created any longer.

How to repeat:
Run mysql_secure_insallation without specifying login credentials.

Suggested fix:
diff --git a/client/mysql.cc b/client/mysql.cc                                                                                                                                                                    
index 55fed58861a..d9f384cfcc3 100644                                                                                                                                                                             
--- a/client/mysql.cc                                                                                                                                                                                             
+++ b/client/mysql.cc
@@ -1936,8 +1936,8 @@ static void usage(int version)
       break;
     }
   }
+  print_defaults(MYSQL_CONFIG_NAME, load_default_groups);
   my_print_help(my_long_options);
-  print_defaults("my", load_default_groups);
   my_print_variables(my_long_options);
 }
 
diff --git a/client/mysql_secure_installation.cc b/client/mysql_secure_installation.cc
index f265323f5ae..8ba89991ff8 100644
--- a/client/mysql_secure_installation.cc
+++ b/client/mysql_secure_installation.cc
@@ -84,8 +84,6 @@ static struct my_option my_connection_options[]=
   {0, 0, 0, 0, 0, 0, GET_NO_ARG, NO_ARG, 0, 0, 0, 0, 0, 0}
 };
 
-my_bool find_temporary_password(char **p);
-
 static void print_version(void)
 {
   fprintf(stdout, "%s Ver %s, for %s on %s\n", my_progname,
@@ -604,24 +602,12 @@ int get_opt_user_password()
     {
       /*
         No password is provided and we cannot connect with a blank password.
-        Assume there is an ongoing deployment running and attempt to locate
-        the temporary password file.
       */
-      char *temp_pass;
-      if (find_temporary_password(&temp_pass) == TRUE)
-      {
-        my_free(password);
-        password= temp_pass;
-        using_temporary_password= TRUE;
-      }
-      else
-      {
-        char prompt[128];
-        my_snprintf(prompt, sizeof(prompt) - 1,
-                    "Enter password for user %s: ", opt_user);
-        // Request password from user
-        password= get_tty_password(prompt);
-      }
+      char prompt[128];
+      my_snprintf(prompt, sizeof(prompt) - 1,
+                  "Enter password for user %s: ", opt_user);
+      // Request password from user
+      password= get_tty_password(prompt);
     }
     init_connection_options(&mysql);
   } // if !password_provided
@@ -838,71 +824,6 @@ void reload_privilege_tables()
 }
 
 
-/**
-  Attempt to retrieve a password from the temporary password file
-  '.mysql_secret'.
- @param p[out] A pointer to a password in a newly allocated buffer or null
- @returns true if the password was successfully retrieved.
-*/
-
-my_bool find_temporary_password(char **p)
-{
-  const char *root_path= "/root";
-  const char *password_file_name= "/.mysql_secret";
-  *p= NULL;
-  const char *home= getenv("HOME");
-  if (home == NULL)
-    home= root_path;
-
-  size_t home_len= strlen(home);
-  size_t path_len= home_len + strlen(password_file_name)+1;
-  char *path= (char *)malloc(path_len);
-  memset(path, 0, path_len);
-  
-  strcat(path, home);
-  strcat(path, password_file_name);
-  FILE *fp= fopen(path, "r");
-  if (fp == NULL)
-  {
-    free(path);
-    return FALSE;
-  }
-
-  /*
-    The format of the password file is
-    ['#'][bytes]['\n']['password bytes']['\n']|[EOF])
-  */
-  char header[256];
-  char password[64];
-  size_t password_len=0;
-  /* Read header and skip it */
-  if (fgets(&header[0], sizeof(header), fp) == NULL || header[0] != '#')
-    goto error;
-
-  /* Read password */
-  if (fgets(&password[0], sizeof(password), fp) == NULL)
-    goto error;
-
-  /* Remove terminating newline character if it exists */
-  password_len= strlen(&password[0]);
-  if (password[password_len - 1] == '\n')
-    password[password_len - 1] = '\0';
-
-  *p= my_strdup(PSI_NOT_INSTRUMENTED,
-               &password[0], MYF(MY_FAE));
-  fprintf(stdout, "Connecting to MySQL server using password in '%s'\n",path);
-  
-  free(path);
-  return TRUE;
-
-  error:
-    fprintf(stdout, "The password file '%s' is corrupt! Skipping.\n", path);
-    if (path)
-      free(path);
-    return FALSE;
-}
-
-
 int main(int argc,char *argv[])
 {
   int reply;
[21 Dec 2018 0:37] Paul DuBois
Posted by developer:
 
Fixed in 8.0.15.

mysql_secure_installation no longer attempts to read a password from
the .mysql_secret file. This was was created by mysql_install_db, a
program that has been removed.