MDEV-12484 Enable unix socket authentication by default

Change the default authentication for root@localhost to IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket which provides secure passwordless login, while still allowing SET PASSWORD to work as expected. Also create a second all-privilege account for the user that owns datadir (and thus has full access to the data anyway). Compile unix_socket plugin statically into the server.
2025-07-27 18:02:13 +03:00 · 2019-02-05 16:07:07 +01:00
parent f07b76fcfd
commit b9f3f06857
9 changed files with 30 additions and 19 deletions
--- a/scripts/mysql_install_db.sh
+++ b/scripts/mysql_install_db.sh
@ -37,8 +37,8 @@ force=0
 in_rpm=0
 ip_only=0
 cross_bootstrap=0
-auth_root_authentication_method=normal
-auth_root_socket_user='root'
+auth_root_authentication_method=socket
+auth_root_socket_user=""
 skip_test_db=0

 usage()
@ -46,17 +46,17 @@ usage()
  cat <<EOF
 Usage: $0 [OPTIONS]
  --auth-root-authentication-method=normal|socket
-                       Chooses the authentication method for the created initial
-                       root user. The default is 'normal' to creates a root user
-                       that can login without password, which can be insecure.
-                       The alternative 'socket' allows only the system root user
-                       to login as MariaDB root; this requires the unix socket
-                       authentication plugin.
+                       Chooses the authentication method for the created
+                       initial root user. The historical behavior is 'normal'
+                       to creates a root user that can login without password,
+                       which can be insecure. The default behavior 'socket'
+                       sets an invalid root password but allows the system root
+                       user to login as MariaDB root without a password.
  --auth-root-socket-user=user
                       Used with --auth-root-authentication-method=socket. It
-                       specifies the name of the MariaDB root account, as well
-                       as of the system account allowed to access it. Defaults
-                       to 'root'.
+                       specifies the name of the second MariaDB root account,
+                       as well as of the system account allowed to access it.
+                       Defaults to the value of --user.
  --basedir=path       The path to the MariaDB installation directory.
  --builddir=path      If using --srcdir with out-of-directory builds, you
                       will need to set this to the location of the build
@ -505,6 +505,11 @@ cat_sql()
 {
  echo "use mysql;"

+  # Use $auth_root_socket_user if explicitly specified.
+  # Otherwise use the owner of datadir - ${user:-$USER}
+  # Use 'root' as a fallback
+  auth_root_socket_user=${auth_root_socket_user:-${user:-${USER:-root}}}
+
  case "$auth_root_authentication_method" in
    normal)
      echo "SET @auth_root_socket=NULL;"