Bug #9411 Support for Unix socket authentication (SO_PASSCRED / SCM_CREDENTIALS)
Submitted: 26 Mar 2005 14:29 Modified: 3 Feb 2012 11:19
Reporter: Ilya Konstantinov Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: C API (client library) Severity:S4 (Feature request)
Version:4.1.17 OS:Linux (RHEL4)
Assigned to:
Triage: Triaged: D5 (Feature request)

[26 Mar 2005 14:29] Ilya Konstantinov
Description:
It would be very desirable to avoid passwords in automatic usages of mysql by defining which UIDs will be allowed access (instead of inventing a random password and hardcoding it into the client). Strong verification of UIDs and GIDs is only possible when the connection is performed over a unix socket, which is what usually happens on local connections anyway.

Retrieving the client's GID and UID is made possible using the SO_PASSCRED socket option. Read unix(7) for more info.

How to repeat:
Not relevant.
[26 Mar 2005 19:12] Sergei Golubchik
Added to TODO, thanks for the idea
[24 May 2007 13:49] Olaf van der Spek
Any ETA?
[5 Dec 2007 17:41] mykle hansen
This is a pressing need in mysql.

When we were recently hacked, we found that one of the first things the intruders did was search our codebase for passwords.  They found the mysql passwords, which are encoded in plain-text, and used them to gain further access elsewhere.

What if mysql allowed the administrator to create multiple socket files, and assign user identities to socket files?  Then the OS user authentication and file permission schemes can be used to grant or deny access to a given trusted socket file.

This is no more or less secure than storing a mysql password in a file, and then using the same OS schemes to protect that file.  The improvement is, it doesn't involve storing a password, and it's inherently restricted to the local CPU.
[5 Dec 2007 17:46] Ilya Konstantinov
mykle, note that Unix socket apps can determine the credentials of the caller so there's no need for multiple socket files.

In your case, though, it wouldn't have necessarily protected you. When the intruder has access to the codebase, they often have ability to run under the codebase's credentials as well (e.g. in the case of a web app exploited through a security hole in another web app).
[6 Dec 2007 16:53] Sergei Golubchik
noted in WL#1054
[3 Feb 2012 11:19] Paul Dubois
Noted in 5.5.10 changelog.
MySQL distributions now include auth_socket, a server-side
authentication plugin that authenticates clients that connect from
the local host through the Unix socket file. The plugin uses the
SO_PEERCRED socket option to obtain information about the user
running the client program (and thus can be built only on systems
that support this option). For a connection to succeed, the plugin
requires a match between the login name of the connecting client user
and the MySQL user name presented by the client program. For more
information, see
http://dev.mysql.com/doc/refman/5.5/en/socket-authentication-plugin.html