[pkg-go] Bug#953040: marked as done (prometheus-mysqld-exporter: Regression on configuration disallows proper use of mysql auth_socket authentication)

[Debian Bug Tracking System]

Your message dated Sat, 16 May 2020 23:48:52 +0000
with message-id <e1ja6y0-000ayg...@fasolo.debian.org>
and subject line Bug#953040: fixed in prometheus-mysqld-exporter 0.12.1+ds-1
has caused the Debian Bug report #953040,
regarding prometheus-mysqld-exporter: Regression on configuration disallows 
proper use of mysql auth_socket authentication
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
953040: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953040
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: prometheus-mysqld-exporter
Version: 0.11.0+ds-1+b20
Severity: serious
Justification: Policy 10.9

Dear Maintainer,

After upgrading my MariaDB server boxes to buster, the version of
prometheus mysqld exporter monitoring package stopped working. When
I checked the cause of it, the package logged very usefuly the cause:

no user or password specified under [client] in /var/lib/prometheus/.my.s5.cnf

I checked an my [client] section had a user config, plust a password one, except
it was configured on purpose like this:

password = ''

I confirmed that by adding a fully random password, different from the empty 
string,
the exporter started working again.

This is because I use socket-based authentication for the prometheus mysqld
exporter user (https://mariadb.com/kb/en/authentication-plugin-unix-socket/),
something that is a best practice in a secure production environement.
In fact, Debian uses socket_auth for the default-created root user, which
makes Debian mariadb installation much more secure.

This issue not only forces users to maintain a password on the filesystem
in clear text (that can be easily stolen or leaked by accident, and reused
for other similarly-configured systems), it overpases the additional checks
of socket-auth, that requires a matching unix acccount with the same name
as that of the mysql account.

This is a regression because auth_socket was working properly on previous
versions of prometheus available on stretch and other OSs. Not only this
breaks existing installations, it also discourages the usage of the avobe
mentioned, more secure authentication mechanism.

If UI-friendly errors are prefered (because people forgets to create or
protect mysql accounts, please allow me to specifically mark "this account
doesn't have a password, and I know what I am doing".

I have not reported this upstream.


-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-8-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages prometheus-mysqld-exporter depends on:
ii  daemon  0.6.4-1+b2
ii  libc6   2.28-10

prometheus-mysqld-exporter recommends no packages.

Versions of packages prometheus-mysqld-exporter suggests:
pn  default-mysql-server | virtual-mysql-server  <none>

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: prometheus-mysqld-exporter
Source-Version: 0.12.1+ds-1
Done: Martina Ferrari <t...@debian.org>

We believe that the bug you reported is fixed in the latest version of
prometheus-mysqld-exporter, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 953...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martina Ferrari <t...@debian.org> (supplier of updated 
prometheus-mysqld-exporter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 16 May 2020 23:26:21 +0000
Source: prometheus-mysqld-exporter
Architecture: source
Version: 0.12.1+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team 
<pkg-go-maintain...@lists.alioth.debian.org>
Changed-By: Martina Ferrari <t...@debian.org>
Closes: 952291 953040 953652
Changes:
 prometheus-mysqld-exporter (0.12.1+ds-1) unstable; urgency=medium
 .
   * New upstream release. Closes: #952291
   * Update compat and Standards-Version with no changes.
   * debian/default: Update, reformat, and reorganise. Closes: #953652
   * Update and unify packaging.
   * Patch test that requires a running mysql server.
   * Document how to use UNIX domain sockets for auth. Closes: #953040
Checksums-Sha1:
 2e8ab3894f52c90c3636de45df1ad8a21d5a1833 2770 
prometheus-mysqld-exporter_0.12.1+ds-1.dsc
 92de79d8b6dab18f4696f10c9cf66c32d312994b 70902 
prometheus-mysqld-exporter_0.12.1+ds.orig.tar.gz
 4b1b89b4bfcf72a31c142b508b067d727989795c 8068 
prometheus-mysqld-exporter_0.12.1+ds-1.debian.tar.xz
 644c73e208b72ac2cf678aad340bf5d14ed9930f 9062 
prometheus-mysqld-exporter_0.12.1+ds-1_amd64.buildinfo
Checksums-Sha256:
 6b2e7ede62146596514922619a9f1234b2c5a35c8a6f1c692fe6c6a825235c8d 2770 
prometheus-mysqld-exporter_0.12.1+ds-1.dsc
 a4dd892cf12088c1cf3488e650ad09a6da83bb01e86c83088d77b6fcaba47d43 70902 
prometheus-mysqld-exporter_0.12.1+ds.orig.tar.gz
 48636adf98079f4f7f8a95723d34876a5d3b4d3a962532364450ebf317bb2488 8068 
prometheus-mysqld-exporter_0.12.1+ds-1.debian.tar.xz
 5ff6a48f2b8de69104b907f96c7e08a6def5b82189b20d05393cd0029d57afc4 9062 
prometheus-mysqld-exporter_0.12.1+ds-1_amd64.buildinfo
Files:
 bcba62118b2a8902e06f2b455978787b 2770 net optional 
prometheus-mysqld-exporter_0.12.1+ds-1.dsc
 567f8989f6b03d0910cc39d13ea4153b 70902 net optional 
prometheus-mysqld-exporter_0.12.1+ds.orig.tar.gz
 0ad1f82797992d56597a8bf08a8b88fd 8068 net optional 
prometheus-mysqld-exporter_0.12.1+ds-1.debian.tar.xz
 e23f19cad90b164c7ea53c9ed637cbf3 9062 net optional 
prometheus-mysqld-exporter_0.12.1+ds-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE2qbv8cYn6hwmsaaSqiMPxF+MJ7EFAl7AdyUACgkQqiMPxF+M
J7G/3Q//XQUbllE33ZxgKxZ+kN9iNc/UNWxghBAPcfZNXoCyn5T5SoTNQ9EuClRz
USDNKS6jTZW0uRFojnCYrGLSvnzY4Qjnif0Rtnyn7F34MXB/5CswvSvTik7pgsNw
CGxgc8sebH9jAOwWOkemQbMpMs5Yub+KwaV2kF2hZVVnwxQFymjCTgEq4iJlQxtB
LIXCpObi9dJd51CIXKTGHC9XdNZHCPz2UYLiA0HD9bnHPVMCXLGe7o1/8xtUKKNV
9SUmKqVQErH7JAUu4uXRqfxBe44MP8khcXLDPie87OJy0bo0tsG+xB/9aHgT1GXV
QON83QZfDXQmiXjhnvVUbcBf43y6y1AWIsAV23Wp4Y3TWt3M61YIxTLgXF5C5oX+
mNIFqiyhHpSN5XS0yIH0CSgtDduBDQNRoID3cNPJnQnaFU3HRV2X4jwtdEGwfa7R
gZqA6Xuz5elZe+Wydwi59bmq6gcz/P32mThfdceCBJHRG/sWS4GVIHTR+Smouh45
2kB7IovrOAburzjQ11hhOjy2kG44voLOX+tiNx+r/3abHBU6Bnx4JYOJeT+cxc3q
/6dE/Weh80l0f1bBw/852NttWvT5r7nX1rSA1peBIG1fIm9VXrlNJ7oa/89pMvNq
jhqntnl6sK3iP7q/gEKC/NpUfGvnAVU5g2v8uW5uRuMchXsI1oE=
=O1KZ
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
Pkg-go-maintainers mailing list
Pkg-go-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-go-maintainers