Make passwordless default root from localhost default always

Make auth_socket a built-in module that is always available and define root from localhost as always using it on fresh installs.

Make passwordless default root from localhost default always
ab63132b · Otto Kekäläinen · 774c03a2 · ab63132b · ab63132b · ab63132b
Commit ab63132b authored 9 years ago by Otto Kekäläinen
--- a/debian/additions/mariadb.conf.d/50-server.cnf
+++ b/debian/additions/mariadb.conf.d/50-server.cnf
@@ -104,14 +104,13 @@ character-set-server  = utf8mb4
 collation-server      = utf8mb4_general_ci

 #
-# * Unix socket authentication plugin
+# * Unix socket authentication plugin is built-in since 10.0.22-6
 #
 # Needed so the root database user can authenticate without a password but
 # only when running as the unix root user.
 #
 # Also available for other users if required.
 # See https://mariadb.com/kb/en/unix_socket-authentication-plugin/
-plugin-load-add         = auth_socket.so

 # this is only for embedded server
 [embedded]

--- a/debian/changelog
+++ b/debian/changelog
+mariadb-10.0 (10.0.22-6~exp1) experimental; urgency=low
+
+  * Add patch to make passwordless root login default on all new
+    installs in all situations. Make auth_socket a built-in plugin.
+  * Clean up previous passwordless root implementation so that it
+    applies only to new installs and existing databases continue
+    to operate with the passwords defined in their user tables.
+
+ -- Otto Kekäläinen <otto@seravo.fi>  Thu, 17 Dec 2015 15:28:51 +0200
+
 mariadb-10.0 (10.0.22-5) unstable; urgency=low

  * Fix non-working path of unstable-test in d/rules

--- a/debian/mariadb-server-10.0.install
+++ b/debian/mariadb-server-10.0.install
@@ -32,7 +32,6 @@ usr/bin/replace
 usr/bin/resolve_stack_dump
 usr/bin/resolveip
 usr/lib/mysql/plugin/auth_pam.so
-usr/lib/mysql/plugin/auth_socket.so
 usr/lib/mysql/plugin/ha_innodb.so
 usr/lib/mysql/plugin/ha_sequence.so
 usr/lib/mysql/plugin/ha_sphinx.so

--- a/debian/patches/mdev-8375-built-in-auth-socket.patch
+++ b/debian/patches/mdev-8375-built-in-auth-socket.patch
+From: Sergey Vojtovich <svoj@mariadb.org>
+Desciption: Make auth_socket built-in by default
+ Remove this the day passwordless root account becomes the default in
+ upstream too and not just in Debian packaging.
+Date: Fri, 18 Dec 2015 16:31:05 +0400
+Subject: [PATCH] Fixed auth_socket static compilation
+Origin: https://github.com/MariaDB/server/commit/3402f7a85364e26fe85dfff3b5d803a8497042aa.patch
+Bug: https://mariadb.atlassian.net/browse/MDEV-8375
+
+--- a/plugin/auth_socket/CMakeLists.txt
+++ b/plugin/auth_socket/CMakeLists.txt
+@@ -65,6 +65,6 @@ ENDIF()
+ ENDIF()
+ 
+ IF(ok)
+-  MYSQL_ADD_PLUGIN(auth_socket auth_socket.c MODULE_ONLY)
+  MYSQL_ADD_PLUGIN(auth_socket auth_socket.c)
+ ENDIF()
+ 
+--- a/plugin/auth_socket/auth_socket.c
+++ b/plugin/auth_socket/auth_socket.c
+@@ -105,7 +105,7 @@ static struct st_mysql_auth socket_auth_
+   socket_auth
+ };
+ 
+-maria_declare_plugin(socket_auth)
+maria_declare_plugin(auth_socket)
+ {
+   MYSQL_AUTHENTICATION_PLUGIN,
+   &socket_auth_handler,
+--- a/mysql-test/mysql-test-run.pl
+++ b/mysql-test/mysql-test-run.pl
+@@ -3641,6 +3641,9 @@ sub mysql_install_db {
+   mtr_tofile($bootstrap_sql_file,
+ 	     "DELETE FROM mysql.user where user= '';\n");
+ 
+  mtr_tofile($bootstrap_sql_file,
+            "UPDATE mysql.user SET plugin='';\n");
+
+   # Create mtr database
+   mtr_tofile($bootstrap_sql_file,
+ 	     "CREATE DATABASE mtr;\n");
--- a/debian/patches/mdev-8375-passwordless-root-via-socket-auth.patch
+++ b/debian/patches/mdev-8375-passwordless-root-via-socket-auth.patch
+From: Daniel Black <daniel.black@openquery.com.au>
+Date: Tue, 26 May 2015 18:48:57 +1000
+Desciption: Make root account by default on new installs passwordless
+ and use the unix socket authentication instead.
+ .
+ Remove this the day passwordless root account becomes the default in
+ upstream too and not just in Debian packaging.
+Origin: https://github.com/ottok/mariadb-10.0/pull/23/
+Bug: https://mariadb.atlassian.net/browse/MDEV-8375
+
+--- a/scripts/mysql_system_tables_data.sql
+++ b/scripts/mysql_system_tables_data.sql
+@@ -29,7 +29,7 @@ SELECT LOWER( REPLACE((SELECT REPLACE(@@
+ -- Fill "user" table with default users allowing root access
+ -- from local machine if "user" table didn't exist before
+ CREATE TEMPORARY TABLE tmp_user LIKE user;
+-INSERT INTO tmp_user VALUES ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','','N', 'N');
+INSERT INTO tmp_user VALUES ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'unix_socket','','N', 'N');
+ REPLACE INTO tmp_user SELECT @current_hostname,'root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','','N','N' FROM dual WHERE @current_hostname != 'localhost';
+ REPLACE INTO tmp_user VALUES ('127.0.0.1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','','N','N');
+ REPLACE INTO tmp_user VALUES ('::1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','','N','N');
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,5 @@ mysqld_multi.server_lsb-header.patch
 mdev-7550-tokudb.patch
 mdev-8692-perf-arm.patch
 mdev-9091-tokudb.patch
+mdev-8375-passwordless-root-via-socket-auth.patch
+mdev-8375-built-in-auth-socket.patch
--- a/debian/rules
+++ b/debian/rules
@@ -79,8 +79,10 @@ override_dh_auto_configure:
 	    -DINSTALL_LIBDIR=lib/$(DEB_HOST_MULTIARCH) \
 	    -DINSTALL_PLUGINDIR=lib/mysql/plugin \
 	    -DINSTALL_MYSQLTESTDIR=share/mysql/mysql-test \
+	    -DWITH_AUTH_SOCKET=ON \
 	    -DDEB=$(DISTRIBUTION) ..'
 	touch $@
+	# from 10.1 onwards use syntax: -DPLUGIN_AUTH_SOCKET=STATIC

 # This is needed, otherwise 'make test' will run before binaries have been built
 override_dh_auto_build: