In order to log in to MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and haven't set the root password yet, you should just press enter here.
I haven't set a root password, so I pressed enter. All that happened is the dialogue box repeated itself as if I entered an incorrect password.
Must be logged in as the root user to enter empty password
Related
I'm trying to disable root login without password with the new version of MariaDB.
Usually, I set the auth plugin for root to "". But it's not working anymore
ERROR 1356 (HY000): View 'mysql.user' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them
I tried to use ALTER USER but I've only succeed to set plugin to unix_socket or mysql_native_password
How can I resolve that ?
Thank's a lot.
Regards.
I solved this problem by following steps:
Using command SHOW GRANTS FOR 'root'#'localhost';
If you see a line similar to this one
GRANT ALL PRIVILEGES ON . TO root#localhost IDENTIFIED VIA
mysql_native_password USING
'A_HASH_PASSWORD' OR unix_socket WITH GRANT
OPTION
That means your root user can be authenticated by 2 methods password or unix_socket.
Now you can use command
GRANT ALL PRIVILEGES ON *.* TO `root`#`localhost` IDENTIFIED BY 'YOUR_RAW_PASSWORD' WITH GRANT OPTION;
FLUSH FLUSH PRIVILEGES;
Problem solved!
If you look at show create user for root you'll see that both mysql_native_password and unix_socket exist as plugin types.
unix_socket will allow the root unix user login without a password. Insecure? Not really, they can manipulate and access database files already.
mysql_native_password is there, but the password there is invalid. No password exists that is usable so you cannot login with this plugin by default. This is there so that if you really want, you can set a password (using SET PASSWORD) to login to the root user from a non-root unix user. This inherently make it less secure as there is another access mechanism.
After I establish and user and set their password, is there a way to have users reset their passwords on login? I'd like the password I set for them to be temporary.
Thanks!
When you sign up your user, make something that says that their password is temporary (such as a field in the database that's an int with either 0 or 1). When they log in, it should check the field for if the password is temporary, and if it is, then ask them for their real password and use the UPDATE statement to update their password. If it isn't, continue normally.
How can I switch user using su command and adding password from file ?
I want to make a script which will automatically switch the user, having the user and the password ,without manually typing the password.
Note: I don't have super user rights.
To switch to an admin user(root) in unix I use :
sudo su -
so now I'm an admin user with admin privilages. To achieve same in windows I would need to login with an admin password before becomming an admin.
Why is this different in unix ? I'm a unix newbie so maybe there is something more going on that I am not aware of ?
I will use admin and root interchangeable for explaining the following:
When you use sudo su, you are basically saying "use my permission in the sudoers file and log me in to the root user."
When you use sudo, you are basically saying "use my permission for current user (who is in sudoers file) and execute the following command which comes after sudo."
Sudoers file is a file that defines the permission for various users in UNIX and Linux and whether or not they can run commands as sudo (super user do).
When you use su, you are saying "start a new session and log me in as root directly, without checking sudoers files, and I will provide the credentials (password)."
The difference in UNIX is the management of the admin account. Root exists for the entire system. All users are allowed to log into root if they provide the correct credentials. For all accounts, any user can run things as though the user is root (su) by adding the particular user account to the sudoers file. This means that any user account can execute sudo commands as if it was an admin account by only providing the user's password. And the user does not have to know the root password. It basically says: "I know what I am doing, let me do it." And it means that a user can execute as both a regular user and admin in one session, without having to log in and log out of accounts.
While in Windows, the admin management is handled differently. A sudoer file does not exist in Windows. A user is either administrator or not. However, if the user is administrator, he can still run things as a normal user without going to OS permissions right-clicking an doing Run as administrator. Also, there is no overall root account for Windows unless it was set by whoever set up the system.
The way admin privileges are managed is different, nothing else.
Hmm... I'm not sure I'm understanding your question, but here is my answer:
When you write sudo su - (or sudo -s), you'll be asked your current user password. If that user doesn't have the privileges to perform sudo tasks, you won't be able to do that.
You're saying:
...I would need to login with an admin password before becomming an admin.
As I said, your user is kind of an admin one, because someone gave you that privilege (either by adding you to the sudoers file, adding you to the adm group, etc).
if you want to be root on unix and have the root password you can do
su - which is the same as su - root.
Back in the day you had the option to login as root aka admin but that has gone away due to security reasons. Now you are required to login as yourself and then become root.
In the windows world this is the same as logging in as a non-privledged user and running a program as administrator. When you do this in windows you will also be prompted for the admin password. Basicly the same thing in unix.
The reason for the sudo is because most places dont want a user to have the root password.
sudo su - will prompt you for your personal unix password not root's. And then check the sudoconfig to make sure you are allowed to run that command.
sudo also has the abilty to give a user very restricted access. It can be set up so only certain users or groups can run specfic commands as root or other users.
In addtional to making sure you are allowed to run the command it will also keep a log as to who ran what. Or if someone is trying to become root who is not allowed.
If the account does not have "user must change at next login" checked, I can change the password.
However, if the box is checked, I get a bad password error when I try to access the user.
LogOnUser() returns the correct error code so I know the user must change their password.
As Joe Kaplan says here (back in 2004), I can't bind to the user to be able to change their passwords.
It's the same issue whether using AccountManagement/PrincipalContext or DirectoryEntry/DirectorySearcher.
I did this on a project at my last position. Rather than to try to bind to the user with their own credentials, we set up an AD account with only the rights to make the password change.
So, once you have the error code indicating that the user must change their password, ask for the new password, grab the user as admin, and make the change.
As I recall, we had to pass the admin username and password explicitly to make it work, rather than relying on the credentials the code was running under.
For security, we stored an encrypted copy of the limited admin username and password in the registry, and decrypted it when we were making the call.
Code will be something like this:
PrincipalContext dc = new PrincipalContext(ContextType.Domain,
"www.yourdomain.com", "dc=yourdomain,dc=com",
ContextOptions.SimpleBind, "AdminUserName", "AdminPassword");
UserPrincipal usr = UserPrincipal.FindByIdentity(dc,
"UserWhoNeedsPasswordChanged");
usr.ChangePassword("oldPass", "newPass");