Unexpected authentication with Mariadb

symcbean asked:

Having previously used MySQL quite extensively on Linux, I was fairly confident that getting MariaDB (10.0.31) setup on this Mint 18.1 (Ubuntu) box would be easy enough. And the installation was exactly that.

But oddly enough it now seems to know when I’m fibbing about who I am. Previously with MySQL on Redhat, Suse, PCLinixOS… I could log into mysqld which was configured with a blank password for root@localhost (i.e. using the AF_UNIX socket) by asserting I was root, but this didn’t work on my Mint/MariaDB:

 symcbean@animal ~ $ mysql -u root
 ERROR 1698 (28000): Access denied for user 'root'@'localhost'

But this does work if I ‘su’:

 symcbean@animal /etc $ su
 animal etc # mysql
 Welcome to the MariaDB monitor.  Commands end with ; or \g.
 Your MariaDB connection id is 47
 Server version: 10.0.31-MariaDB-0ubuntu0.16.04.2 Ubuntu 16.04

 Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

 Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

 MariaDB [(none)]> select current_user;
 | current_user   |
 | root@localhost |
 1 row in set (0.00 sec)

(same with mysql -u root, mysql -u root -h localhost).

My non-root user has permissions on the socket file:

 symcbean@animal ~ $ ls -l /var/run/mysqld/mysqld.sock 
 srwxrwxrwx 1 mysql mysql 0 Nov 29 20:46 /var/run/mysqld/mysqld.sock

My root user does not have a ~/my.conf or ~/.my.cnf to hold a password.

I don’t make a habit of running insecure systems – but I’m puzzled by this apparent change of behaviour. Does the server really validate the uid of the client?

My answer:

MariaDB on Ubuntu 15.10 and later automatically use UNIX socket authentication by default. The UID of the user who opens the local socket connection is used and can authenticate without a password. Only MariaDB builds on current versions of Debian and Ubuntu enable this by default.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.