From b9f3f06857ac6f9105dc65caae19782f09b47fb3 Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <serg@mariadb.org>
Date: Tue, 5 Feb 2019 16:07:07 +0100
Subject: [PATCH] MDEV-12484 Enable unix socket authentication by default

Change the default authentication for root@localhost to

  IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket

which provides secure passwordless login, while still allowing
SET PASSWORD to work as expected.

Also create a second all-privilege account for the user that owns
datadir (and thus has full access to the data anyway).

Compile unix_socket plugin statically into the server.
---
 .../build_configurations/mysql_release.cmake  |  3 +++
 mysql-test/main/failed_auth_unixsocket.result |  2 +-
 mysql-test/main/failed_auth_unixsocket.test   |  2 +-
 mysql-test/main/mysql_upgrade-6984.result     |  2 +-
 mysql-test/main/mysql_upgrade-6984.test       |  2 +-
 .../i_s_applicable_roles_is_default.result    |  2 +-
 .../i_s_applicable_roles_is_default.test      |  2 +-
 scripts/mysql_install_db.sh                   | 27 +++++++++++--------
 scripts/mysql_system_tables_data.sql          |  7 +++--
 9 files changed, 30 insertions(+), 19 deletions(-)

diff --git a/cmake/build_configurations/mysql_release.cmake b/cmake/build_configurations/mysql_release.cmake
index 105855a0bd1..4b399a131f5 100644
--- a/cmake/build_configurations/mysql_release.cmake
+++ b/cmake/build_configurations/mysql_release.cmake
@@ -98,17 +98,20 @@ ELSEIF(RPM)
   SET(CHECKMODULE /usr/bin/checkmodule CACHE STRING "")
   SET(SEMODULE_PACKAGE /usr/bin/semodule_package CACHE STRING "")
   SET(WITH_LIBARCHIVE ON CACHE STRING "")
+  SET(PLUGIN_AUTH_SOCKET YES)
 ELSEIF(DEB)
   SET(WITH_SSL system CACHE STRING "")
   SET(WITH_ZLIB system CACHE STRING "")
   SET(WITH_LIBWRAP ON)
   SET(HAVE_EMBEDDED_PRIVILEGE_CONTROL ON)
   SET(WITH_LIBARCHIVE ON CACHE STRING "")
+  SET(PLUGIN_AUTH_SOCKET YES)
 ELSE()
   SET(WITH_SSL bundled CACHE STRING "")
   SET(WITH_ZLIB bundled CACHE STRING "")
   SET(WITH_JEMALLOC static CACHE STRING "")
   SET(WITH_LIBARCHIVE STATIC CACHE STRING "")
+  SET(PLUGIN_AUTH_SOCKET STATIC)
 ENDIF()
 
 IF(NOT COMPILATION_COMMENT)
diff --git a/mysql-test/main/failed_auth_unixsocket.result b/mysql-test/main/failed_auth_unixsocket.result
index 690476cd753..eb02479431b 100644
--- a/mysql-test/main/failed_auth_unixsocket.result
+++ b/mysql-test/main/failed_auth_unixsocket.result
@@ -8,6 +8,6 @@ flush privileges;
 connect(localhost,USER,,test,MASTER_PORT,MASTER_SOCKET);
 ERROR 28000: Access denied for user 'USER'@'localhost'
 ERROR 28000: Access denied for user 'USER'@'localhost'
-update mysql.global_priv set priv=json_remove(priv, '$.plugin');
+update mysql.global_priv set priv=json_compact(json_remove(priv, '$.plugin'));
 flush privileges;
 uninstall plugin unix_socket;
diff --git a/mysql-test/main/failed_auth_unixsocket.test b/mysql-test/main/failed_auth_unixsocket.test
index a7ae7d64a6b..01fb09e1c46 100644
--- a/mysql-test/main/failed_auth_unixsocket.test
+++ b/mysql-test/main/failed_auth_unixsocket.test
@@ -36,7 +36,7 @@ connect (fail,localhost,$USER);
 --error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
 change_user $USER;
 
-update mysql.global_priv set priv=json_remove(priv, '$.plugin');
+update mysql.global_priv set priv=json_compact(json_remove(priv, '$.plugin'));
 flush privileges;
 uninstall plugin unix_socket;
 
diff --git a/mysql-test/main/mysql_upgrade-6984.result b/mysql-test/main/mysql_upgrade-6984.result
index 87f3c1a5359..ad48004a2a3 100644
--- a/mysql-test/main/mysql_upgrade-6984.result
+++ b/mysql-test/main/mysql_upgrade-6984.result
@@ -63,6 +63,6 @@ test
 Phase 7/7: Running 'FLUSH PRIVILEGES'
 OK
 connect con1,localhost,root,foo,,,;
-update mysql.global_priv set priv=json_remove(priv, '$.plugin', '$.authentication_string');
+update mysql.global_priv set priv=json_compact(json_remove(priv, '$.plugin', '$.authentication_string'));
 flush privileges;
 set global event_scheduler=OFF;
diff --git a/mysql-test/main/mysql_upgrade-6984.test b/mysql-test/main/mysql_upgrade-6984.test
index a036b7a08a0..ad2b95314b0 100644
--- a/mysql-test/main/mysql_upgrade-6984.test
+++ b/mysql-test/main/mysql_upgrade-6984.test
@@ -17,7 +17,7 @@ update mysql.global_priv set priv=json_set(priv, '$.plugin', 'mysql_native_passw
 
 connect(con1,localhost,root,foo,,,);
 
-update mysql.global_priv set priv=json_remove(priv, '$.plugin', '$.authentication_string');
+update mysql.global_priv set priv=json_compact(json_remove(priv, '$.plugin', '$.authentication_string'));
 flush privileges;
 # Load event table
 set global event_scheduler=OFF;
diff --git a/mysql-test/suite/roles/i_s_applicable_roles_is_default.result b/mysql-test/suite/roles/i_s_applicable_roles_is_default.result
index 32498d11390..ee7d17f3a1f 100644
--- a/mysql-test/suite/roles/i_s_applicable_roles_is_default.result
+++ b/mysql-test/suite/roles/i_s_applicable_roles_is_default.result
@@ -78,4 +78,4 @@ drop role role3;
 drop role role2;
 drop role role1;
 drop user foo;
-update mysql.global_priv set priv=json_remove(priv, '$.default_role');
+update mysql.global_priv set priv=json_compact(json_remove(priv, '$.default_role'));
diff --git a/mysql-test/suite/roles/i_s_applicable_roles_is_default.test b/mysql-test/suite/roles/i_s_applicable_roles_is_default.test
index b6f6f9ba879..0e6436924a9 100644
--- a/mysql-test/suite/roles/i_s_applicable_roles_is_default.test
+++ b/mysql-test/suite/roles/i_s_applicable_roles_is_default.test
@@ -59,4 +59,4 @@ drop role role3;
 drop role role2;
 drop role role1;
 drop user foo;
-update mysql.global_priv set priv=json_remove(priv, '$.default_role');
+update mysql.global_priv set priv=json_compact(json_remove(priv, '$.default_role'));
diff --git a/scripts/mysql_install_db.sh b/scripts/mysql_install_db.sh
index 8cb55e519e7..54b5bed4546 100644
--- a/scripts/mysql_install_db.sh
+++ b/scripts/mysql_install_db.sh
@@ -37,8 +37,8 @@ force=0
 in_rpm=0
 ip_only=0
 cross_bootstrap=0
-auth_root_authentication_method=normal
-auth_root_socket_user='root'
+auth_root_authentication_method=socket
+auth_root_socket_user=""
 skip_test_db=0
 
 usage()
@@ -46,17 +46,17 @@ usage()
   cat <<EOF
 Usage: $0 [OPTIONS]
   --auth-root-authentication-method=normal|socket
-                       Chooses the authentication method for the created initial
-                       root user. The default is 'normal' to creates a root user
-                       that can login without password, which can be insecure.
-                       The alternative 'socket' allows only the system root user
-                       to login as MariaDB root; this requires the unix socket
-                       authentication plugin.
+                       Chooses the authentication method for the created
+                       initial root user. The historical behavior is 'normal'
+                       to creates a root user that can login without password,
+                       which can be insecure. The default behavior 'socket'
+                       sets an invalid root password but allows the system root
+                       user to login as MariaDB root without a password.
   --auth-root-socket-user=user
                        Used with --auth-root-authentication-method=socket. It
-                       specifies the name of the MariaDB root account, as well
-                       as of the system account allowed to access it. Defaults
-                       to 'root'.
+                       specifies the name of the second MariaDB root account,
+                       as well as of the system account allowed to access it.
+                       Defaults to the value of --user.
   --basedir=path       The path to the MariaDB installation directory.
   --builddir=path      If using --srcdir with out-of-directory builds, you
                        will need to set this to the location of the build
@@ -505,6 +505,11 @@ cat_sql()
 {
   echo "use mysql;"
 
+  # Use $auth_root_socket_user if explicitly specified.
+  # Otherwise use the owner of datadir - ${user:-$USER}
+  # Use 'root' as a fallback
+  auth_root_socket_user=${auth_root_socket_user:-${user:-${USER:-root}}}
+
   case "$auth_root_authentication_method" in
     normal)
       echo "SET @auth_root_socket=NULL;"
diff --git a/scripts/mysql_system_tables_data.sql b/scripts/mysql_system_tables_data.sql
index bf473db7527..9d0088aa333 100644
--- a/scripts/mysql_system_tables_data.sql
+++ b/scripts/mysql_system_tables_data.sql
@@ -25,7 +25,9 @@
 -- add escape character in front of wildcard character to convert "_" or "%" to
 -- a plain character
 SELECT LOWER( REPLACE((SELECT REPLACE(@@hostname,'_','\_')),'%','\%') )INTO @current_hostname;
-SELECT json_object('access',cast(-1 as unsigned)) INTO @all_privileges;
+SELECT '{"access":18446744073709551615}' INTO @all_privileges;
+SELECT '{"access":18446744073709551615,"plugin":"mysql_native_password","authentication_string":"invalid","auth_or":[{},{"plugin":"unix_socket"}]}' into @all_with_auth;
+
 
 -- Fill "global_priv" table with default users allowing root access
 -- from local machine if "global_priv" table didn't exist before
@@ -37,7 +39,8 @@ REPLACE INTO tmp_user_nopasswd SELECT @current_hostname,'root',@all_privileges F
 REPLACE INTO tmp_user_nopasswd VALUES ('127.0.0.1','root',@all_privileges);
 REPLACE INTO tmp_user_nopasswd VALUES ('::1','root',@all_privileges);
 -- More secure root account using unix socket auth.
-INSERT INTO tmp_user_socket VALUES ('localhost',IFNULL(@auth_root_socket, 'root'),json_set(@all_privileges, '$.plugin', 'unix_socket'));
+INSERT INTO tmp_user_socket VALUES ('localhost', 'root',@all_with_auth);
+REPLACE INTO tmp_user_socket VALUES ('localhost',IFNULL(@auth_root_socket, 'root'),@all_with_auth);
 IF @auth_root_socket is not null THEN
   IF not exists(select 1 from information_schema.plugins where plugin_name='unix_socket') THEN
      INSTALL SONAME 'auth_socket'; END IF; END IF;