Package: mysql-server Version: 5.5.42-1 Severity: normal Dear Maintainer,
When checking for insecure root accounts, ‘debian-start.inc.sh’ merely lists root accounts with an empty password: SELECT COUNT(*) FROM mysql.user WHERE user='root' and password=''; However, such an account can be perfectly secure if e.g., it is associated with the ‘auth_socket’ plugin [1] (the client would have to connect to Unix socket and use SO_PEERCRED). The query could be amended as follows: SELECT COUNT(*) FROM mysql.user WHERE user='root' and password='' and plugin!='auth_socket'; However some other plugins such as PAM could be considered secure as well. Cheers, -- Guilhem. [0] https://dev.mysql.com/doc/refman/5.5/en/pluggable-authentication.html [1] https://dev.mysql.com/doc/refman/5.5/en/socket-authentication-plugin.html -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
signature.asc
Description: Digital signature