Description:
This is an excerpt from the online documentation for 'mysql_config_editor' (https://dev.mysql.com/doc/refman/8.0/en/mysql-config-editor.html):
"The login path file must be readable and writable to the current user, and inaccessible to other users. Otherwise, mysql_config_editor ignores it, and client programs do not use it, either."
How to repeat:
I conducted the following test on Ubuntu 16.04 LTS running MySQL Ver 14.14 Distrib 5.7.24.
The outcome was in accordance with the excerpt above.
1. Created a 'mylogin.cnf' file: mysql_config_editor set --user=foobar --password
2. Ran a backup: mysqldump --all-databases -r dump.txt
The backup ran OK.
3. Obtained the permissions of mylogin.cnf: stat -c '%A %a %n' .mylogin.cnf
-rw------- 600 .mylogin.cnf
4. Changed the file permissions as follows: chmod 750 .mylogin.cnf
5. Obtained the permissions of mylogin.cnf: stat -c '%A %a %n' .mylogin.cnf
-rwxr-x--- 750 .mylogin.cnf
6. Ran a backup: mysqldump --all-databases -r dump.txt
Resulted in the following error (the expected behaviour):
mysqldump: [Warning] /home/thecliguy/.mylogin.cnf should be readable/writable only by current user.
mysqldump: Got error: 1045: Access denied for user 'thecliguy'@'localhost' (using password: NO) when trying to connect
I then conducted equivalent tests on Windows 10 Professional Version 1803 Build 10.0.17134.523.
I started by testing MySQL Ver 14.14 Distrib 5.7.25 and then repeated the tests on MySQL Ver 8.0.13.
1. Created a non-admin Windows account: net user user1 * /add
2. Logged on to Windows as 'user1'.
3. Created a 'mylogin.cnf' file: mysql_config_editor set --user=foobar --password
4. Ran a backup: mysqldump --all-databases -r C:\bitbucket\dump.txt
The backup ran OK.
5. Obtained the permissions of mylogin.cnf using: icacls C:\Users\user1\AppData\Roaming\MySQL\.mylogin.cnf
The permissions are just the defaults inherited from 'C:\Users\user1'.
Type Principal Access Inherited from
---- --------- ------ --------------
Allow SYSTEM Full control C:\Users\user1
Allow Administrators Full control C:\Users\user1
Allow user1 Full control C:\Users\user1
6. Changed the file permissions by granting everyone full access of 'C:\Users\user1':
icacls "C:\Users\user1" /grant everyone:(OI)(CI)(F)
7. Obtained the permissions of mylogin.cnf: icacls C:\Users\user1\AppData\Roaming\MySQL\.mylogin.cnf:
Type Principal Access Inherited from
---- --------- ------ --------------
Allow Everyone Full control C:\Users\user1
Allow SYSTEM Full control C:\Users\user1
Allow Administrators Full control C:\Users\user1
Allow user1 Full control C:\Users\user1
8. Ran a backup: mysqldump --all-databases -r c:\bitbucket\dump.txt
The backup worked fine despite granting All Users full control.
Suggested fix:
As demonstrated, the excerpt from the documentation regarding file permissions on '.mylogin.cnf' is not being enforced on Windows. I appreciate that permissions are implemented very differently in Windows and *nix, but the documentation does not state that it applies only to *nix.
Therefore either the equivalent standards should be adhered to on Windows or the documentation should be revised stating that it is only applicable to *nix.
Any feedback welcome.