Is having a root .my.cnf file a bad idea?
After completing a long-overdue upgrade of database software from MariaDB 5.5 to 10.2 and cleaning up the broken pieces, I discovered that it is not necessary to enter a password for the root user from the command line any more.
In researching how to fix this, it was apparent that there are two sides to the issue. Searching further for the reason, I found the a file .my.cnf in the root directory with user and password. Aha!
Considering the server has disabled root "password" login (key only), is this opening a vulnerability? Is is mainly for the convenience? Thanks for adding your view! David
# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 44
Server version: 10.2.19-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> SELECT user,host,password FROM mysql.user WHERE user='';
Empty set (0.00 sec)
MariaDB [(none)]>
In researching how to fix this, it was apparent that there are two sides to the issue. Searching further for the reason, I found the a file .my.cnf in the root directory with user and password. Aha!
# cat ~/.my.cnf
[client]
password=""
user=root
[mysqld]
#
Considering the server has disabled root "password" login (key only), is this opening a vulnerability? Is is mainly for the convenience? Thanks for adding your view! David
-
the risk is minimal if a hacker has access to that file as root you have bigger problems 0 -
Hello David, Root access to the system is required in order to see the contents of the file. Additionally, the root password in the /root/.my.cnf file is not the same as the server's root password. Let me know if you have any questions. Thanks! 0
Please sign in to leave a comment.
Comments
2 comments