I am looking at automating a couple things when installing MySQL to a new host using a Chef server. These include:
mysqladmin -u root password {password_here}
mysql_secure_installation
I've created a .mylogin.cnf file with two login-paths, admin (which is root user), and mysqluser (non root user).
My issues are that I can't get (or understand how) .mylogin.cnf to create the DB users and password; and I can't automate the mysql_secure_installation using --defaults-file=.mylogin.cnf (assuming that's how the --defaults-file works) even though it's not specifying a login-path. Initially I was running the mysql queries via command line to harden the service, but was told that mysql_secure_installation uses --no-defaults, and --defaults-file to automate this particular task, but haven't found much online about those arguments.
Can anyone point me in the right direction?
The option --defaults-file is NOT used for setting/changing options in whichever tool you are running. This file is only used for specifying connection options (ie: host, username, socket, etc). For mysql_secure_installation specifically, you might try --use-default which, according to the manual, is used for unattended execution. In MySQL 5.7, a random root password is generated and printed in the error log. Simply grep this file for that password in your Chef script, then connect to MySQL and run whatever commands you need to create new users, dbs, etc. FYI, the generated root password is expired so when you connect, you have to change it first before you can do anything else.
Related
I would like to connect to mysql database without interaction for the password (I need for using it during a batch script). I'm using this script, but before start the connection I must insert the password.
mysql -u username#databasename -p "Password" -h hostnamedatabase -P 3344
I have tried this other approach but I have no success
mysql -u username#databasename -pPassword -h hostnamedatabase -P 3344
Is there a way to enter the password directly without typing it in?
New answer
OP is on command line on a remote server (using SSH). From there, mysql needs to be used password-less - so to speak - to create user on INSTANCE1 and INSTANCE2.
That's doable also. You'd use --defaults-group-suffix switch.
~/.my.cnf
Let's start with creating a file called .my.cnf in your home directory (aka ~/.my.cnf). Put this in it.
[client1]
user=INSTANCE1-USERNAME
password=INSTANCE1-PASSWORD
database=INSTANCE1-DATABASE (this could be mysql)
host=INSTANCE1-HOSTNAME-OR-IP
[client2]
user=INSTANCE2-USERNAME
password=INSTANCE2-PASSWORD
database=INSTANCE2-DATABASE (this could be mysql)
host=INSTANCE2-HOSTNAME-OR-IP
Save the file. Do chmod 600 ~/.my.cnf to ensure only your username and root/root-like user can see it.
Now, type this to get to first server:
mysql --defaults-group-suffix=1
Then, use this to get to the second server:
mysql --defaults-group-suffix=2
Explanation
Typically ~/.my.cnf will have the following block
[client]
user=USERNAME
password=PASSWORD
database=DATABASE (this could be mysql)
host=localhost (or whatever hostname/IP)
That allows you to just type mysql and log on. MySQL looks for credentials, host, port etc. in ~/.my.cnf. If it gets that info, it'll use it to log in to MySQL. Cool. Easy enough.
--defaults-group-suffix=2 tells MySQL to look into ~/.my.cnf but not read the [client] block but instead read the [client2] block for credentials/information.
Similarly --defaults-group-suffix=1 tells MySQL to look into ~/.my.cnf and read the [client1] block for credentials/information.
That way, you can have credentials for multiple servers or databases within a single server and log on to MySQL without having to prompt/provide credentials through command line.
You can use this tool with scripts as long as the ~/.my.cnf file is in the username that is running those scripts.
Documentation
https://dev.mysql.com/doc/refman/8.0/en/option-file-options.html
https://dev.mysql.com/doc/refman/8.0/en/option-files.html#option-file-syntax
Another method using --login-path
See https://dev.mysql.com/doc/refman/8.0/en/mysql-config-editor.html. It shows you can log on to mysql using --login-path switch. Since the above method will work well for you, I am just adding this as a reference.
Old answer
You can actually do that. Assuming you are on Linux, create a .my.cnf file under your home directory. Type this in it:
[client]
user=username
password=yourpass
Then, you can do mysql -h host -P 3344 -D databasename
See documentation here: https://dev.mysql.com/doc/refman/8.0/en/option-files.html
Also make sure that this file is adequately protected (do chmod 600 ~/.my.cnf).
I have an application which invokes the mysql client to run various tasks. For various reasons, mysql is invoked as the user who runs the application (this is central to the security model and would also affect functionality if changed). Currently the mysql username and password is passed to the client program via the command line - obviously this is not a desirable state of affairs.
Over-writing the $HOME/my.cnf file is not an ideal solution - there may be multiple, concurrent tasks running against different (local and/or remote) databases. The access to the databases must be authenticated.
Is there a way to pass a custom my.cnf file (or other way to securely pass the username and password) to the mysql client without having to simulate an interactive login?
(supplying a my.cnf file using --defaults-file or --defaults-extra-file results in mysql: unknown variable 'username=my_db_user'
You have tested this ?
$ cat .my.cnf
[client]
user=root
password=rootpw
$ mysql --defaults-file=/Pathtomycnf/.my.cnf
MariaDB [(none)]> quit
Bye
I'm trying to login to my mysql user created by the MySQL installation in bash shell.
So the command I'm trying to do is:
sudo -i -u mysql
But, it does nothing (nothing printed out in the console, not connected to any user whatsoever, etc...).
EDIT: The return value of the command is 1 though.
Here is the mysql user line in the /etc/passwd file:
mysql:x:89:89::/var/lib/mysql:/bin/false
I'm running on ArchLinux 64bit and the user I'm trying to connect to is local (no connection to a remote server whatsoever).
I'm trying to understand why I can login with any other user (like postgres, root, ...) but not mysql.
Hope you can help!
This is intended behaviour. When you compare the /etc/passwd line with other lines you'll notice that the user mysql has /bin/false setup as the shell while others have usually /bin/sh or sth. similar.
When you sudo to mysql you actually get a login for about a millisecond or so and then his "shell" gets executed. /bin/false immediately returns with rc=1 (that's the only purpose of the false command).
This is some kind of "trick" to prevent users from logging in as user mysql although the account is otherwise fully operational.
The user mysql may even have a valid password and be enabled but due to his odd shell setting you cannot login as him. Sometimes these technical users have /usr/bin/passwd set as their shell. Then you can only sudo to that user and change his password, nothing else.
Unfortunately, I have removed super user privileges from postgres user in PostgreSQL. And currently I have not any super user in PostgreSQL. And i want to make superuser. So how can i make it ? Every time I am trying to make postgres to super user. I am facing this problem.
Error : must be superuser to alter superusers.
(assuming you have root access on Ubuntu machine)
To enter psql as super user you need to:
sudo -u postgres psql
as suggested in this SO post here
If there is no user called postgres you need to create it on system first, with:
sudo adduser newuser
Else, if you have problems with password not accepted or not created at all you can follow (Ubuntu 14.04 related) instructions here or for more on user accounts look here
For me helps:
sudo -u gleb psql postgres
where gleb is my mac system user
Adding to Craig Ringer's answer, here is the procedure for MacOS and Brew if you accidentally downgrade your only PostgreSQL user:
brew services stop postgresql
Wait a few seconds and/or check Activity Monitor to make sure "postgres" is no longer running.
/usr/local/Cellar/postgresql/10.4/bin/postgres --single -D /usr/local/var/postgres
backend> ALTER USER "yourname" with superuser; or whatever privilege you need to fix
CTRL-D
brew services start postgresql
You're going to have to stop the database system and start a stand-alone back-end, which always unconditionally runs as a superuser.
You can use this backend to ALTER the user you wish to give superuser rights to. Then shut the standalone backend down and start the database normally.
It is important that you completely stop the database server before entering single user mode. PostgreSQL single user mode will refuse to start if there's a postmaster, but to be sure you should make sure there are no PostgreSQL processes running on your system. Under (almost) no circumstances should you ever delete postmaster.pid - that's pretty much guaranteed to result in database corruption if there's still any PostgreSQL process accessing that data directory.
Exactly how to start a standalone back-end depends a bit on your OS/distro and how you installed PostgreSQL. You haven't included this info, so I can only really point you at the manual for the postgres back-end executable.
Make a backup first.
In the single-user mode, the session user will be set to the user with ID 1, and implicit superuser powers are granted to this user. This user does not actually have to exist, so the single-user mode can be used to manually recover from certain kinds of accidental damage to the system catalogs.
See the section Options for Single User mode and, toward the bottom, Usage. You'll want to run the postgres backend with --single, as the unix user that owns the database files, with the path to the datadir. On a typical Linux PostgreSQL install this might be something like:
sudo systemctl stop postgresql-9.3.service
sudo -u postgres /usr/pgsql-9.3/bin/postgres --single -D /var/lib/pgsql/9.3/data
Your datadir and postgres executable location are quite possibly different. The above is for a Fedora system running with PGDG PostgreSQL packages from http://yum.postgresql.org/ .
Assuming that your system user is 'ec2-user'
So try this to enter as superuser
psql -U ec2-user postgres
This will enter you as ec2-user as superuser using postgres db
Now, change postgres user roles to superuser
ALTER USER postgres WITH SUPERUSER;
Quit from above console and now you can open psql using postgres user as superuser
psql -U postgres
Note: I tested this on PostgreSQL 12.5
SELECT usename AS role_name,
CASE
WHEN usesuper AND usecreatedb THEN
CAST('superuser, create database' AS pg_catalog.text)
WHEN usesuper THEN
CAST('superuser' AS pg_catalog.text)
WHEN usecreatedb THEN
CAST('create database' AS pg_catalog.text)
ELSE
CAST('' AS pg_catalog.text)
END role_attributes
FROM pg_catalog.pg_user
ORDER BY role_name desc;
log with root_user then give superuser to postgres
I'm having some serious trouble with a freshly installed copy of mySQL server under Ubuntu 10.10. I installed with apt and supplied a password at that time. Installation went fine, but the server is behaving very strangely.
First, to test the database, I created a php file with
mysql_connect("localhost", "root", "myPassword") or die(mysql_error());
where myPassword is the one I entered when it asked, during installation. That gave me an access denied error. I tried to shell into the mySQL server to pursue a solution I read about. The normal syntax didn't work, and to get anything but "access denied", I had to do
mysql -u root password myPassword
However, instead of a mysql shell, it just spits out a list of parameters and variables. So at this point, I'm stumped; I haven't worked with mySQL through a command line in a couple of years, but none of this behavior is familiar, and I can't find a way to interact with the server.
Any help would be appreciated.
The mysql command-line parameter for supplying a password is -p, not password. You should also leave out spaces. For example:
mysql -uroot -pmyPassword
If you don't want to risk your password being exposed...
mysql -uroot -p
...will prompt you for your password and hide the characters as you type them.
If you have apparmor installed (this is default) it can cause problems when you go outside the narrowly-defined defaults set up by ubuntu.
The things that mysql is allowed to touch is defined here: /etc/apparmor.d/abstractions/mysql
If you've put your socket file elsewhere, you would get an access-denied message.
To look at things more closely, run your mysql client like so:
strace -e file mysql <blah blah>
This will print out any system-level file operations on stderr. You can then see exactly which operation is causing the permissions error. If you don't see an issue, you might use -e network instead, to see network operations.