Bug #94739 Always allow root to log in via UNIX socket
Submitted: 21 Mar 16:53 Modified: 2 Apr 13:51
Reporter: Felipe Gasper (OCA) Email Updates:
Status: Unsupported Impact on me:
None 
Category:MySQL Server Severity:S4 (Feature request)
Version: OS:Any
Assigned to: CPU Architecture:Any

[21 Mar 16:53] Felipe Gasper
Description:
Given that the root user has full access across the server anyway, is there anything gained by requiring that root give a password when logging in via UNIX socket?

It would radically simplify, e.g., administrator account password resets if local access to the DB were always allowed for the system administrator, without need of a password. All of the “--init-file” messiness could just go away because anyone who can restart the server would be able to log in anyway.

How to repeat:
n/a - feature request

Suggested fix:
Apply enough of the logic from the auth_socket plugin to allow the system “root” user to log in without a password.
[21 Mar 20:21] Felipe Gasper
Addendum: message sent to David Stokes giving more context to this issue:

-----
	We met a couple years back in Toronto at LinuxCon. I’m one of the developers for cPanel, a popular web hosting automation platform.

	We’ve just noticed a longstanding problem with cPanel’s workflow for MySQL 5.7 installs; we hadn’t realized that the “mysqld --initialize” command creates a “dummy” password that is stored in the error log. Because of this we were doing a full reset of the password, with server restart, which can cause race safety problems with improvements we’ve recently made to our cPanel installation logic.

	It’s a bit awkward for us to work with this, as it necessitates parsing a log file to extract the password. We also don’t want to do “--initialize-insecure”, of course, and leave the entire DB wide open.

	I’ve opened an enhancement request that I think would radically simplify this situation: https://bugs.mysql.com/bug.php?id=94739

	The current procedure for resetting an admin password is a rather messy one. That all would go away under this setup: since mysqld knows (via getsockopt(2)) that the system “root” user is the one who’s connecting in the first place, mysqld can trust the login without a password. In effect, there would be no need for an administrator password over UNIX sockets. Thus, there would be no need for server restarts if /root/.my.cnf goes away for whatever reason.

	What would be a timeframe for when your team might give this idea some consideration? As an expedient to the process, would a patch be considered if I were to submit one?

	Thank you for your time!
-----
[21 Mar 20:26] Felipe Gasper
Further clarifications:

The idea is that the system administrator would be able to log in as any MySQL user. This wouldn’t depend on there being a “root” MySQL user: if the given username at “localhost” exists in mysql.user, and if getsockopt(2)/SO_PEERCRED indicates that the peer process’s user is the system administrator, then mysqld would forgo authentication.
[22 Mar 21:41] Felipe Gasper
Proof of concept, just barely verified and only functional on Linux:

https://github.com/FGasper/mysql-server/tree/root_can_always_log_in

On BSDs/MacOS getpeereid() could be useful.
[27 Mar 14:07] Sinisa Milivojevic
Hi,

If I have understood correctly, you are asking us to allow user `root` to login without any password, if he logs on the machine that runs MySQL server.

If that is the case, then I am sorry, but we can not accommodate your feature request. Simply it goes against all the safety and security standards that are set in our industry. 

This feature request is not acceptable.
[27 Mar 14:42] Felipe Gasper
Hi Sinisa,

What safety and security standards are you referring to? D-Bus and systemd work the same way, and they’re active on practically any new Linux install.

The local system admininstrator is already omnipotent; MySQL’s requirement that the admin present local login credentials affords no security benefit at all since that user can just follow the password reset instructions on MySQL’s website.
[27 Mar 14:45] Sinisa Milivojevic
Hi,

I am referring , of course, to our own security standards, that are partially published in our Reference Manual.

Anyway, I have also contacted our team that deals with those matters and if there is any change in the policy, I will publish it here.
[27 Mar 14:49] Felipe Gasper
Hi Sinisa,

One question: How does my request violate the standards you reference while MySQL’s auth_socket plugin is in accordance with them?

It doesn’t seem I’m requesting anything that MySQL doesn’t already allow; I’m just asking for it to apply for the system admin without the plugin.
[27 Mar 15:02] Sinisa Milivojevic
Hi,

That is simple.

auth_socket plugin has to be loaded.

We are talking of the default behaviour.
[27 Mar 17:22] Felipe Gasper
OK, so your objection is merely to the idea that this be default behavior, not to the behavior itself. (Or else there would be security warnings in the auth_socket plugin’s documentation?)

So if the behavior were tied to a configuration option, e.g, local-admin-socket-authn, would the proposal be more acceptable?

For a bit more context: my team manages software that automates (among other things) MySQL installations. Our software is installed in quite a number of hosting operations worldwide. For 5.7+ we need either to parse out the expired password from the installation log or to follow the admin password reset instructions, which requires a server restart, which interacts suboptimally with other parts of our system. But parsing out the expired password from the log seems a decidedly brittle way to go, too.

It would be much cleaner and simpler if we could simply start MySQL with a configuration option that enables the behavior I propose: root ownership of the connecting end of the socket would fully constitute authentication.
[28 Mar 13:24] Sinisa Milivojevic
Hi,

Your request has been passed to the team which deals with this matter, so they will decide.

Regarding the option, it is out of question, because our users set wrong options quite frequently and then file the bugs.
[2 Apr 12:33] Sinisa Milivojevic
This is the conclusion of our Development team, which is in charge of this particular area:

Some of our binary packages are implementing this already, like the Debian package has "root" using unix socket when installed.

Ideally we'd have 1 "passwordless, OS authentication" plugin that will work on all platforms and do unix socket authentication on linux, windows native auth on windows etc. 
Then --initialize could set root to use that for sure. 
But it'd clash with cases where root would need to log in remotely. 

Right now the vision is: we keep mysqld using its own authentication by default as it works for everybody. And leave it to the distro specific packages to choose otherwise. 

This is the maximum possible based on the tools we have and the requirements not to break the backward compatibility and the transportability of the databases across OSes. 

That is currently our position.
[2 Apr 13:51] Felipe Gasper
Hello,

Thank you for your response. I hadn’t been aware that Debian already implements the behavior I propose. (My work is mostly with RPM-based Linux.)

If I may, though: what is it about default-OS-authn that clashes with cases where root needs to log in remotely? The authn configuration for “root@localhost” doesn’t bear on how “root@remotehost.tld” logs in, right? Whether root@localhost logs in via password or via OS-authn (or some other plugin), root@remotehost.tld still logs in with a password, and still is not configured out of the gate, right?

-FG
[2 Apr 13:55] Sinisa Milivojevic
It is a simply a matter of consistency across all platforms that we support.

Hence, this feature request will not be implemented for a long time.