Bug 108779
Summary: | Always timeout error starting MySQL Daemon | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Robert Scheck <redhat-bugzilla> | ||||
Component: | mysql | Assignee: | Kim Ho <kho> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | high | ||||||
Version: | rawhide | CC: | gordon.messmer, jeskritt, jtate, kho, laurent, mnk, mrsam, patrickm, vortexreality2050, wtogami | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2003-11-18 20:29:30 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Created attachment 95652 [details]
Fix for mysqld for /etc/init.d
I am having problems reproducing this problem. [root@tomaluk init.d]# service mysqld start Initializing MySQL database: [ OK ] Starting MySQL: [ OK ] [root@tomaluk init.d]# mysqladmin ping mysqld is alive [root@tomaluk init.d]# [root@tomaluk init.d]# service mysqld restart Stopping MySQL: [ OK ] Starting MySQL: [ OK ] [root@tomaluk init.d]# service mysqld stop Stopping MySQL: [ OK ] [root@tomaluk init.d]# The only way I was able to reproduce it was: mysql> select user,host from user; +------+----------------------------+ | user | host | +------+----------------------------+ | | localhost | | root | localhost | | | tomaluk.toronto.redhat.com | | root | tomaluk.toronto.redhat.com | +------+----------------------------+ 4 rows in set (0.00 sec) mysql> delete from user where user=''; Query OK, 2 rows affected (0.00 sec) mysql> \q Bye [root@tomaluk init.d]# mysqladmin ping mysqld is alive [root@tomaluk init.d]# service mysqld restart Stopping MySQL: [ OK ] Timeout error occurred trying to start MySQL Daemon. Starting MySQL: [FAILED] [root@tomaluk init.d]# mysqladmin -u root ping mysqld is alive Please let me know if the users in mysql have been changed. (e.g. the removal of anonymous users) mysql> select user,host from user; +---------+-----------+ | user | host | +---------+-----------+ | root | hurricane | | | localhost | +---------+-----------+ Well, I only gave root a password... And it's correct to give mysql-root a password, because that is explicit written in the mysql documentation! Have a look to the documentation: http://www.mysql.de/doc/en/Default_privileges.html The defaults work fine. If you change the settings, then you will have to make the appropriate changes in the scripts. The default works fine, as long as the admin doesn't change the password for the mysql root user. But as described in the MySQL admin documentation, everybody _must_ change this, in order to close a security hole: > Because your installation is initially wide open, one of the first > things you should do is specify a password for the MySQL root user. > You can do this as follows (note that you specify the password > using the PASSWORD() function): > Try mysql -u root. If you are able to connect successfully to the > server without being asked for a password, you have problems. > Anyone can connect to your MySQL server as the MySQL root user with > full privileges! Review the MySQL installation instructions, paying > particular attention to the item about setting a root password. One solution would be to create a "dummy" mysql user restricted to localhost and with no rights. Another solution would be to remove the new changes and to live without a check whether the mysql server runs or not. And could you please remove the binding in bugzilla to the group rhnpm? Thank you very much. I think that's interesting for other users, too. No.. if everyone _HAS TO_ change this, it would have been part of setting up MySQL. It is not part of the defaults of MySQL and therefore, we will not be changing it. I'm really sorry to say that so unfriendly, but *please* read: http://www.securityfocus.com/infocus/1726 and then *please* read my posting on the Fedora mailinglist: https://www.redhat.com/archives/fedora-list/2003-November/msg00171.html and the corresponding answers (if there are new answers). And could you please remove the binding in bugzilla to the group rhnpm? Thank you very much. I think that's interesting for other users, too. Thanks for your suggestions. We will be fixing the issue by adding a mysql user with no privileges. I think I accidentally hit rhnpm. removing. Just using a random, non existant user for the mysqladmin parameter -u is enough to fix that issue. mysqladmin -u foo ping Alternatively, you can explicitly request use of the anonymous account (which is what you're trying to do anyway) using "-u UNKNOWN_USER" /usr/bin/mysqladmin ping -u UNKNOWN_USER 2> /dev/null Thanks for all the feedback. I think the problem with it is the two above suggestions require anonymous users to work. (please correct me if I'm wrong, I'm by no means a MySQL expert) However, that has already been removed (if you follow the instructions to secure the MySQL installation). I believe that after following the instructions, all you're left with is a root@localhost passworded account. It's true that our suggestions require the anonymous user, but adding a "mysql" user with no privs is effectively the same. "mysql" would then be an anonymous user with a name, rather than an anonymous user without a name. While the securityfocus documents suggest removing the anonymous user, I don't believe MySQL's own documentation suggests this step. MySQL's own documentation does, however suggest using a password on the "root" account. It seems like the most reasonable thing to do is to support the set documented by MySQL, Inc. To do so, all that needs to be done is to use the arguments "-u UNKNOWN_USER" when you're attempting some anonymous access to the database, such as the "ping" operation. Users who go to the additional step of disabling anonymous access will can remove the sanity checks in the init script. I'm not sure what needs to happen with the logrotate scripts when you've set a root password. I'll look at that when I'm back in front of my Fedora installation, and suggest any fixes or documentation that may be necessary. Should have been noted in my previous comment: Securityfocus's documentation would also remove the "mysql" user, so there's no real point in adding it. We're going to follow what Debian does with MySQL (which is create a debian-sys-maint user for stuff like this). Credit for the coming fix goes to them. Is this package available for testing? It seems to me that anyone affected by this problem would be unable to install a package that tried to add a new user. Given that "-u UNKNOWN_USER" is the least intrusive solution, it seems the best. fixed using anonymous users. in rawhide. should be available within a day or two. *** Bug 110566 has been marked as a duplicate of this bug. *** *** Bug 110591 has been marked as a duplicate of this bug. *** *** Bug 110591 has been marked as a duplicate of this bug. *** *** Bug 113820 has been marked as a duplicate of this bug. *** *** Bug 113884 has been marked as a duplicate of this bug. *** *** Bug 116531 has been marked as a duplicate of this bug. *** Thanks for the explanation and the fix. I have however three remarks. 1° I encountered the problem of the bug as I upgraded from RHL 9 to FC 2. Although the bug is supposed to be fixed, a lot of upgraders will suffer from the problem. The startup of mysqld in RH9 remains essentially different from Fedora. There is no compatibility: things that worked fine previously, appear not to work anymore. 2° For security reasons, I had indeed previously deleted all anonymous users from MySQL. Note that when not doing so, besides a security issue, creating a MySQL-user, say john_doe, who is allowed to work from any host (host='%', user='john_doe') would not be recognized working from localhost, because in MySQL (host='localhost',user='') is considered before the less-specific host value (host='%', user='john_doe'). This had to be solved by adding one more john_doe: john_doe@localhost next to john_doe@'%'. Using a specific user with a name but with no granted rights (grant usage only, effectively allowing the ping) might have been a better solution. 3° The restart doesn't work from time to time. I would suggest a small alteration: restart(){ stop sleep 2 start } Thanks on beforehand. An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2004-569.html With this latest update I now see on two hosts # /etc/init.d/mysqld start Timeout error occurred trying to start MySQL Daemon. Starting MySQL: [FAILED] though the service does appear to start Changing ping="/usr/bin/mysqladmin -uUNKNOWN_MYSQL_USER ping" to ping="/usr/bin/mysqladmin -uUNKNOWN_MYSQL_USER -t 5 ping" resolved the situation. Steve You can solve the issue by creating a single account with no privileges whatsoever. Without any privileges, this account does not pose any security risk. Using a name other than "anonymous" provides a certain level of security through obscurity. GRANT USAGE ON *.* TO 'yaddayadda'@'localhost'; Then alter /etc/rc.d/init.d/mysqld to change the line to read: ping="/usr/bin/mysqladmin -u yaddayadda ping" I meet the same bug. How can I return the original state? I need to start up the mysql server quickly. thanks in advanced, Bill |
Description of problem, how reproducible and steps to reproduce: # service mysqld restart Stopping MySQL: [ OK ] Timeout error occurred trying to start MySQL Daemon. Starting MySQL: [FAILED] # It displays only an error, but mysqld lives! Version-Release number of selected component (if applicable): mysql-3.23.58-4 Actual results: If I do a mysqladmin ping at my system I get the following: # mysqladmin ping mysqladmin: connect to server at 'localhost' failed error: 'Access denied for user: 'root@localhost' (Using password: NO)' # I've to use a password: # mysqladmin -u root -p ping Enter password: mysqld is alive # Or I've to use the MySQL user: # mysqladmin -u mysqld ping mysqld is alive # Expected results and additional info: The error is caused by that section: > # Spin for a maximum of ten seconds waiting for the server to come up > if [ $ret -eq 0 ]; then > for x in 1 2 3 4 5 6 7 8 9 10; do > if [ -n "`/usr/bin/mysqladmin ping 2> /dev/null`" ]; then > break; > else > sleep 1; > fi > done > if !([ -n "`/usr/bin/mysqladmin ping 2> /dev/null`" ]); then > echo "Timeout error occurred trying to start MySQL Daemon." > action $"Starting $prog: " /bin/false > else > action $"Starting $prog: " /bin/true > fi > else > action $"Starting $prog: " /bin/false > fi You can't do that so - you've seen it above! I added a new init script solving that problem. And I think it's ugly to use "2> /dev/null" at a Bash script...