Issue Plesk Osidian Installation on Debian 10.9 creates MySQL/MariaDB-Root user root@localhost without password

[JensKillus]

I've installed Plesk Obsidian 18.0.34 (Update 2) on a fresh Debian Server with Debian 10.9. No other software than OpenSSH was installed on the server. I've installed Plesk by the one click installer:

# sh <(curl https://autoinstall.plesk.com/one-click-installer || wget -O - https://autoinstall.plesk.com/one-click-installer)

When installation was complete I've noticed that in addition to the mySQL/MariaDB-Account admin@localhost which is used by Plesk for database access there was also ceated an account root@localhost with no password. This is a severe security flaw, because every shell user can log into the database server with full administrative privileges.

 

[Bitpalast]

I didn't know that MariaDB comes with Plesk. Normally, it is installed on the operating system level before you start the Plesk installation. Plesk does not create a root user on MariaDB, and so far I have not seen MariaDB as a component of Plesk. Is that something new that can now be selected during installation?

 

[JensKillus]

Hi Peter. Debian moved from MySQL to MariaDB in Debian 9 "Stretch". In Debian package management MariaDB is marked as default MySQL server, so when Plesk installs MySQL, MaraiDB will be selected and installed. In Plesk component management there is no option for changing the type of MySQL server. Seems to me that the Debian postinstall script for MariaDB lacks the opportunity to secure the root account with a password and Plesk inherits this security flaw.

 

[Bitpalast]

Are you sure that MariaDB ist installed with Plesk during the Plesk installation process? It seems to me that the database server is rather something that must pre-exist on the machine before you can do a Plesk installation on the machine. Isn't it rather necessary to install a password for the pre-existing database server in the database server independently from Plesk?

 

[ChristophRo]

It's not a security risk, because this root user does use socket based auth, instead of a password - heck it's considered to be even more secure than using a password after all.

This behavior is also the default for any Debian 9 or 10 you install MariaDB on, regardless of Plesk or not.

It's also not true that "every shell user can logon"
Yes, you may be able to log into MariaDB without a password when you are logged in as root on your server - but that is the whole idea behind that socket based auth, isn't it?

 

[JensKillus]

Hello ChristophRo. Thanks for the clarification, your are right. I've checked this, MariaDB socket auth plugin is installed, so the missing password is not a security risk, because auth is bound to PAM.