• 4
Votes
name
name Punditsdkoslkdosdkoskdo

What is a debian-sys-maint MySQL users (and more)?

I have been bitten several times by the 'debian-sys-maint' user that is installed by default on the mysql-server packages installed from the Ubuntu repositories.

Generally what happens is I pull a fresh copy of our production database (which is not running on Debian/Ubuntu) for troubleshooting or new development and forget to exclude the mysql.user table hence losing the debian-sys-maint user.

If we add new mysql users for whatever reason, I have to 'merge' these into my development environment as opposed to just overlaying the table.

Without the user my system still seems functional, but plagued with errors such as:

sudo /etc/init.d/mysql restart
Stopping MySQL database server: mysqld...failed.
error: 'Access denied for user 'debian-sys-maint'@'localhost' (using password: YES)'
  • What is debian-sys-maint used for?
    • Is there a better way for the package maintainers to do what they're trying to do?
  • What is the easiest way to restore it after I've lost it?
  • What is the correct/minimal set of privileges for this user?
    • Seems like poor idea to 'grant all privileges on *.* ...'

Edit

Additional question - Is the password in /etc/mysql/debian.cnf already hashed or is this the plaintext password? It matters when you go to recreate the user and I never seem to get it right on the first try.

Thanks

I wanted to just comment, but I think correct syntax deserves it's own entry. This will create the debian-sys-maint user:

mysql> GRANT ALL PRIVILEGES on *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY 'plaintextpassword' WITH GRANT OPTION; FLUSH PRIVILEGES;

If you still have the /etc/mysql/debian.cnf file, just use the password in there.

Feel free to come up with a more paranoid secure solution.

  • 0
Reply Report

The problem is, your GRANT statement uses IDENTIFIED BY PASSWORDclause, and in this case mysql expect to get a hashed password, not a plaintext one.

Use IDENTIFIED BY 'your password' instead, if you wish to supply a plaintext password.

  • 0
Reply Report

What is debian-sys-maint used for?

By default it is used for telling the server to roll the logs. It needs at least the reload and shutdown privilege.

See the file /etc/logrotate.d/mysql-server

It is used by the /etc/init.d/mysql script to get the status of the server. It is used to gracefully shutdown/reload the server.

Here is the quote from the README.Debian

* MYSQL WON'T START OR STOP?:
=============================
You may never ever delete the special mysql user "debian-sys-maint". This user
together with the credentials in /etc/mysql/debian.cnf are used by the init
scripts to stop the server as they would require knowledge of the mysql root
users password else.

What is the easiest way to restore it after I've lost it?

The best plan is to simply not lose it.

You could use a command like this to build a SQL file that you can use later to recreate the account.

mysqldump --complete-insert --extended-insert=0 -u root -p mysql | grep 'debian-sys-maint' > debian_user.sql

Is the password in /etc/mysql/debian.cnf already hashed

The password is not hashed.

  • 4
Reply Report