MariaDB 10.4 implemented a lot of changes to how security is done. Much of this is invisible to most users with the exception of root. The root user is now able to use socket authentication through the unix_socket plugin. It means that if you are logged in to a Linux system as root, you can log on to the MariaDB server without using a password. Note in the example below, the -p option (for “password”) is not used yet the log on is successful.
[root@linuxputer ~]# mysql -u root
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 408
Server version: 10.11.9-MariaDB-log MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
And it’s not just that you don’t need to enter a password. Even if a password is provided, it is completely ignored. In this example, a password – which is invalid – is provided, yet the log on is successful.
[root@linuxputer ~]# mysql -u root -p'wrong-password'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 410
Server version: 10.11.9-MariaDB-log MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
And it’s not just from a root session that this work. Using sudo works as well.
[charles@linuxputer ~]$ sudo mysql -u root
[sudo] password for charles:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 412
Server version: 10.11.9-MariaDB-log MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
The reason MariaDB made this change is based on the simple fact that asking the Linux root user for a password provides no extra security. root has full access to all files and process memory anyway. But not asking for a password (and ignoring a password when provided) means there is no root password to forget, and no root password that must be discovered.
This only works for Linux root. Other users trying to log on to the MariaDB server as root still need to use a password unless sudo is used. But by default, the root user is created without a password. This is to force authentication to be done using sudo and ensues access to the MariaDB server is restricted to connections only from the local system (localhost). Thus, unless a password is added, you can only log on to MariaDB as root from a root session or by using sudo.
The really surprising thing is that this works on Windows as well – except that Linux root is Windows Administrator.
In Windows, sudo is Run as administrator, so any user that can open an elevated Command Prompt window can log on to the MariaDB server as root without a password. Don’t bother looking for any documentation about this on Windows. There isn’t any.
References
MariaDB: Authentication in MariaDB 10.4 — Understanding the Changes
MariaDB: Authentication Plugin – Unix Socket
MariaDB: Authentication Plugins
Leave a Reply