I start the mysql :
mysqld_safe --user=_mysql
and I create a file which blongs to root:
-rw-r--r-- 1 root staff 0 12 4 19:40 a
and exec:
mysql> system rm /home/test/a
and the file was deleted。
has anyone kown how to make 'system' command unavailable when the mysql account which is specified by 'mysqld -u' are different to the account of system(file or others)
The system command in the mysql client command line program doesn't run commands on the MySQL server machine. (If it did, can you imagine how easy it would be for cybercriminals to pwn IT infrastructure?)
It runs them on the same machine upon which you are running mysql.
The mysql command ordinarily runs with the same user and set of permissions as the shell program that invoked it. So, anything users could do with mysql system they could also do in the shell used to run it.
Therefore, disabling the mysql system command is unnecessary and insufficient for tightening system security.
(Users without shells are another story. If you have those kinds of users, you probably should disable the system command.)
If you don't trust the user who must run the mysql client you'll need to grant them a limited environment. You can look up chroot for that.
Related
I am looking at automating a couple things when installing MySQL to a new host using a Chef server. These include:
mysqladmin -u root password {password_here}
mysql_secure_installation
I've created a .mylogin.cnf file with two login-paths, admin (which is root user), and mysqluser (non root user).
My issues are that I can't get (or understand how) .mylogin.cnf to create the DB users and password; and I can't automate the mysql_secure_installation using --defaults-file=.mylogin.cnf (assuming that's how the --defaults-file works) even though it's not specifying a login-path. Initially I was running the mysql queries via command line to harden the service, but was told that mysql_secure_installation uses --no-defaults, and --defaults-file to automate this particular task, but haven't found much online about those arguments.
Can anyone point me in the right direction?
The option --defaults-file is NOT used for setting/changing options in whichever tool you are running. This file is only used for specifying connection options (ie: host, username, socket, etc). For mysql_secure_installation specifically, you might try --use-default which, according to the manual, is used for unattended execution. In MySQL 5.7, a random root password is generated and printed in the error log. Simply grep this file for that password in your Chef script, then connect to MySQL and run whatever commands you need to create new users, dbs, etc. FYI, the generated root password is expired so when you connect, you have to change it first before you can do anything else.
After I upgraded MySQL 5.7 to MySQL 8.0, I started MySQL again and I got an error:The user specified as a definer ('mysql.infoschema'#'localhost') does not exist' when trying to dump tablespaces.
I don't understand why this problem occurs. And I want to know how to solve it
I had the same error when I accidentally downgraded my MySQL version from 8 to 5.7. At the first start the older version broke something so that version 8 was showing the error above.
In my case I had to enter the docker container where MySQL was running first
docker exec -it mysql bash
Then I basically followed the steps here
mysql -u root -p
mysql> SET GLOBAL innodb_fast_shutdown = 1;
mysql_upgrade -u root -p
This took some minutes but then everything was working again.
It may occur after some time after you set up your new system.
As a suggested solution, just try on Windows
1) open cmd.exe as Administrator
2) run mysql_upgrade.exe -uyour_user_name -pyour_password
mysql_upgrade.exe can be located at
C:\Program Files\MySQL\MySQL Server 8.0\bin
Then run the following to see if the infoschema user has appeared.
select user, host from mysql.user;
In my case, such error was caused by that I had changed the host of the dba user from % to localhost to strengthen the security.
I used "abcdba" with DDL right to create db schema, and used "abc" with CURD right for the Web service to use the DB. After the change, the read operations were OK but the write operations failed with the error message in the OP.
Flush privilege or restarting the server did not solve the problem. Then I changed to host of the dba user back to %. Then things have become normal again.
Apparently mysql does not like the changes of host of the dba user, and existing databases created by that dba user will have problem if the host of the dba user is changed.
Essentially, changing the host of the dba user is actually removing user abcdba#% and creating a new user abcdba#localhost. Here had come the error message, since abcdba#% and abcdba#localhost are 2 differently fully qualified usernames.
I have an application which invokes the mysql client to run various tasks. For various reasons, mysql is invoked as the user who runs the application (this is central to the security model and would also affect functionality if changed). Currently the mysql username and password is passed to the client program via the command line - obviously this is not a desirable state of affairs.
Over-writing the $HOME/my.cnf file is not an ideal solution - there may be multiple, concurrent tasks running against different (local and/or remote) databases. The access to the databases must be authenticated.
Is there a way to pass a custom my.cnf file (or other way to securely pass the username and password) to the mysql client without having to simulate an interactive login?
(supplying a my.cnf file using --defaults-file or --defaults-extra-file results in mysql: unknown variable 'username=my_db_user'
You have tested this ?
$ cat .my.cnf
[client]
user=root
password=rootpw
$ mysql --defaults-file=/Pathtomycnf/.my.cnf
MariaDB [(none)]> quit
Bye
I'm trying to login to my mysql user created by the MySQL installation in bash shell.
So the command I'm trying to do is:
sudo -i -u mysql
But, it does nothing (nothing printed out in the console, not connected to any user whatsoever, etc...).
EDIT: The return value of the command is 1 though.
Here is the mysql user line in the /etc/passwd file:
mysql:x:89:89::/var/lib/mysql:/bin/false
I'm running on ArchLinux 64bit and the user I'm trying to connect to is local (no connection to a remote server whatsoever).
I'm trying to understand why I can login with any other user (like postgres, root, ...) but not mysql.
Hope you can help!
This is intended behaviour. When you compare the /etc/passwd line with other lines you'll notice that the user mysql has /bin/false setup as the shell while others have usually /bin/sh or sth. similar.
When you sudo to mysql you actually get a login for about a millisecond or so and then his "shell" gets executed. /bin/false immediately returns with rc=1 (that's the only purpose of the false command).
This is some kind of "trick" to prevent users from logging in as user mysql although the account is otherwise fully operational.
The user mysql may even have a valid password and be enabled but due to his odd shell setting you cannot login as him. Sometimes these technical users have /usr/bin/passwd set as their shell. Then you can only sudo to that user and change his password, nothing else.
Unfortunately, I have removed super user privileges from postgres user in PostgreSQL. And currently I have not any super user in PostgreSQL. And i want to make superuser. So how can i make it ? Every time I am trying to make postgres to super user. I am facing this problem.
Error : must be superuser to alter superusers.
(assuming you have root access on Ubuntu machine)
To enter psql as super user you need to:
sudo -u postgres psql
as suggested in this SO post here
If there is no user called postgres you need to create it on system first, with:
sudo adduser newuser
Else, if you have problems with password not accepted or not created at all you can follow (Ubuntu 14.04 related) instructions here or for more on user accounts look here
For me helps:
sudo -u gleb psql postgres
where gleb is my mac system user
Adding to Craig Ringer's answer, here is the procedure for MacOS and Brew if you accidentally downgrade your only PostgreSQL user:
brew services stop postgresql
Wait a few seconds and/or check Activity Monitor to make sure "postgres" is no longer running.
/usr/local/Cellar/postgresql/10.4/bin/postgres --single -D /usr/local/var/postgres
backend> ALTER USER "yourname" with superuser; or whatever privilege you need to fix
CTRL-D
brew services start postgresql
You're going to have to stop the database system and start a stand-alone back-end, which always unconditionally runs as a superuser.
You can use this backend to ALTER the user you wish to give superuser rights to. Then shut the standalone backend down and start the database normally.
It is important that you completely stop the database server before entering single user mode. PostgreSQL single user mode will refuse to start if there's a postmaster, but to be sure you should make sure there are no PostgreSQL processes running on your system. Under (almost) no circumstances should you ever delete postmaster.pid - that's pretty much guaranteed to result in database corruption if there's still any PostgreSQL process accessing that data directory.
Exactly how to start a standalone back-end depends a bit on your OS/distro and how you installed PostgreSQL. You haven't included this info, so I can only really point you at the manual for the postgres back-end executable.
Make a backup first.
In the single-user mode, the session user will be set to the user with ID 1, and implicit superuser powers are granted to this user. This user does not actually have to exist, so the single-user mode can be used to manually recover from certain kinds of accidental damage to the system catalogs.
See the section Options for Single User mode and, toward the bottom, Usage. You'll want to run the postgres backend with --single, as the unix user that owns the database files, with the path to the datadir. On a typical Linux PostgreSQL install this might be something like:
sudo systemctl stop postgresql-9.3.service
sudo -u postgres /usr/pgsql-9.3/bin/postgres --single -D /var/lib/pgsql/9.3/data
Your datadir and postgres executable location are quite possibly different. The above is for a Fedora system running with PGDG PostgreSQL packages from http://yum.postgresql.org/ .
Assuming that your system user is 'ec2-user'
So try this to enter as superuser
psql -U ec2-user postgres
This will enter you as ec2-user as superuser using postgres db
Now, change postgres user roles to superuser
ALTER USER postgres WITH SUPERUSER;
Quit from above console and now you can open psql using postgres user as superuser
psql -U postgres
Note: I tested this on PostgreSQL 12.5
SELECT usename AS role_name,
CASE
WHEN usesuper AND usecreatedb THEN
CAST('superuser, create database' AS pg_catalog.text)
WHEN usesuper THEN
CAST('superuser' AS pg_catalog.text)
WHEN usecreatedb THEN
CAST('create database' AS pg_catalog.text)
ELSE
CAST('' AS pg_catalog.text)
END role_attributes
FROM pg_catalog.pg_user
ORDER BY role_name desc;
log with root_user then give superuser to postgres