Authentication Plugin - Unix Socket
MariaDB starting with 10.4.3
In MariaDB 10.4.3 and later, the unix_socket
authentication plugin is installed by default, and it is used by the 'root'@'localhost'
user account by default. See Authentication from MariaDB 10.4 for more information.
The unix_socket
authentication plugin allows the user to use operating system credentials when connecting to MariaDB via the local Unix socket file. This Unix socket file is defined by the socket
system variable.
The unix_socket
authentication plugin works by calling the getsockopt
system call with the SO_PEERCRED
socket option, which allows it to retrieve the uid
of the process that is connected to the socket. It is then able to get the user name associated with that uid
. Once it has the user name, it will authenticate the connecting user as the MariaDB account that has the same user name.
The unix_socket
authentication plugin is not suited to multiple unix users accessing a single MariaDB user account.
Contents
Is it Secure?
A unix_socket
authentication plugin is a password-less security mechanism. Its security is in the strength of the access to the unix user rather than the complexity and the secrecy of the password. As the security is different from passwords the strengths and weaknesses need to be considered and these aren't the same in every installation.
Strengths of Unix socket authentication
- Access is limited to the unix user, so a
www-data
user cannot accessroot
withunix_socket
authentication plugin. - There is no password to brute force.
- There is no password that can be accidently exposed by user accident, poor security on backups, or poor security on passwords in configuration files.
- Default unix user security is usually strong on preventing remote access and password brute force attempts.
Weakness of Unix socket authentication
As the strength of a unix_socket
authentication plugin is effectively the strength of the security of the unix users on the system. The unix user default installation in most cases is sufficiently secure however business requirements or unskilled management may expose risks. The following are a non-exhastive list of potential unix user security issues that may arrise.
- Common access areas without screen locks where an unauthorized user access the a logged in unix user of an authorized user.
- Extensive sudo access grants that provide users with access to execute commands of a different unix user.
- Scripts writable by unix users other than the unix user, that are executed (cron or directly) by the unix user.
- Web pages that are susceptable to command injection, where the unix user running the web page has elevated privileges in the database that weren't intended to be used.
- Poor unix user password practices including weak user passwords, password exposure and password reuse accompaned by the an access vulnerabilty/mechanism of an unauthorized user to exploit this weakness.
- Weak remote access mechanisms and network file system privileges.
- Poor user security behavior including running untrusted scripts and software.
In some of these scenarios a database password may prevent these security exploits, however it will remove all the strengths of the unix_socket
authentication plugin previously mentioned.
Disabling the Plugin
MariaDB starting with 10.4.3
In MariaDB 10.4.3 and later, the unix_socket
authentication plugin is installed by default, so if you do not want it to be available by default on those versions, then you will need to disable it.
The unix_socket
authentication plugin is also installed by default in new installations that use the .deb
packages provided by Debian's default repositories in Debian 9 and later and Ubuntu's default repositories in Ubuntu 15.10 and later, so if you do not want it to be available by default on those systems when those packages are used, then you will need to disable it. See Differences in MariaDB in Debian (and Ubuntu) for more information.
The unix_socket
authentication plugin can be disabled by starting the server with the unix_socket
option set to OFF
. This can be specified as a command-line argument to mysqld
or it can be specified in a relevant server option group in an option file. For example:
[mariadb] ... unix_socket=OFF
As an alternative, the unix_socket
option can also be set to OFF
by pairing the option with the disable
option prefix. For example:
[mariadb] ... disable_unix_socket
Installing the Plugin
MariaDB starting with 10.4.3
In MariaDB 10.4.3 and later, the unix_socket
authentication plugin is installed by default, so this step can be skipped on those versions.
The unix_socket
authentication plugin is also installed by default in new installations that use the .deb
packages provided by Debian's default repositories in Debian 9 and later and Ubuntu's default repositories in Ubuntu 15.10 and later, so this step can be skipped on those systems when those packages are used. See Differences in MariaDB in Debian (and Ubuntu) for more information.
In other systems, although the plugin's shared library is distributed with MariaDB by default as auth_socket.so
, the plugin is not actually installed by MariaDB by default. There are two methods that can be used to install the plugin with MariaDB.
The first method can be used to install the plugin without restarting the server. You can install the plugin dynamically by executing INSTALL SONAME
or INSTALL PLUGIN
. For example:
INSTALL SONAME 'auth_socket';
The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the --plugin-load
or the --plugin-load-add
options. This can be specified as a command-line argument to mysqld
or it can be specified in a relevant server option group in an option file. For example:
[mariadb] ... plugin_load_add = auth_socket
Uninstalling the Plugin
You can uninstall the plugin dynamically by executing UNINSTALL SONAME
or UNINSTALL PLUGIN
. For example:
UNINSTALL SONAME 'auth_socket';
If you installed the plugin by providing the --plugin-load
or the --plugin-load-add
options in a relevant server option group in an option file, then those options should be removed to prevent the plugin from being loaded the next time the server is restarted.
Creating Users
To create a user account via CREATE USER
, specify the name of the plugin in the IDENTIFIED VIA
clause. For example:
CREATE USER username@hostname IDENTIFIED VIA unix_socket;
If SQL_MODE
does not have NO_AUTO_CREATE_USER
set, then you can also create the user account via GRANT
. For example:
GRANT SELECT ON db.* TO username@hostname IDENTIFIED VIA unix_socket;
Switching to Password-based Authentication
Sometimes Unix socket authentication does not meet your needs, so it can be desirable to switch a user account back to password-based authentication. This can easily be done by telling MariaDB to use another authentication plugin for the account by executing the ALTER USER
statement. The specific authentication plugin is specified with the IDENTIFIED VIA
clause. For example, if you wanted to switch to the mysql_native_password
authentication plugin, then you could execute:
ALTER USER root@localhost IDENTIFIED VIA mysql_native_password; SET PASSWORD = PASSWORD('foo');
Note that if your operating system has scripts that require password-less access to MariaDB, then this may break those scripts. You may be able to fix that by setting a password in the [client]
option group in your /root/.my.cnf option file. For example:
[client] password=foo
Client Authentication Plugins
The unix_socket
authentication plugin does not require any specific client authentication plugins. It should work with all clients.
Support in Client Libraries
The unix_socket
authentication plugin does not require any special support in client libraries. It should work with all client libraries.
Example
$ mysql -uroot MariaDB []> CREATE USER serg IDENTIFIED VIA unix_socket; MariaDB []> CREATE USER monty IDENTIFIED VIA unix_socket; MariaDB []> quit Bye $ whoami serg $ mysql --user=serg Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 2 Server version: 5.2.0-MariaDB-alpha-debug Source distribution MariaDB []> quit Bye $ mysql --user=monty ERROR 1045 (28000): Access denied for user 'monty'@'localhost' (using password: NO)
In this example, a user serg
is already logged into the operating system and has full shell access. He has already authenticated with the operating system and his MariaDB account is configured to use the unix_socket
authentication plugin, so he does not need to authenticate again for the database. MariaDB accepts his operating system credentials and allows him to connect. However, any attempt to connect to the database as another operating system user will be denied.
Versions
Version | Status | Introduced |
---|---|---|
1.0 | Stable | MariaDB 10.0.11 |
1.0 | Beta | MariaDB 5.2.0 |
Options
unix_socket
- Description: Controls how the server should treat the plugin when the server starts up.
- Valid values are:
OFF
- Disables the plugin without removing it from themysql.plugin
table.ON
- Enables the plugin. If the plugin cannot be initialized, then the server will still continue starting up, but the plugin will be disabled.FORCE
- Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error.FORCE_PLUS_PERMANENT
- Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error. In addition, the plugin cannot be uninstalled withUNINSTALL SONAME
orUNINSTALL PLUGIN
while the server is running.
- See Plugin Overview: Configuring Plugin Activation at Server Startup for more information.
- Valid values are:
- Commandline:
--unix-socket=value
- Data Type:
enumerated
- Default Value:
ON
- Valid Values:
OFF
,ON
,FORCE
,FORCE_PLUS_PERMANENT