Security Enhancement in MySQL 5.7

SECURITY ENHANCEMENT IN MYSQL 5.7


MySQL 5.7 has more security enhancements. Some features were removed and some features are added. A temporary password will be generated at time of installation. It contains 12 characters with alpha-numeric characters for security purposes. In mysql.user table old_password field is removed and password field has changed as authendication_string. All anonymous-user accounts were removed . It will not create test database.

  • Temporary Password on Installation
  • Empty Password
  • Password Expiry

Temporary Password on Installation:
RPM installation :

Needed rpm’s are to install mysql 5.7

rpm -ivh mysql-community-libs-5.7.8-0.2.rc .fc21.x86_64.rpm
rpm -ivh mysql-community-devel-5.7.8-0.2.rc .fc21.x86_64.rpm

rpm -ivh mysql-community-client-5.7.8-0.2.rc .fc21.x86_64.rpm

rpm -ivh mysql-community-common-5.7.8-0.2.rc .fc21.x86_64.rpm

rpm -ivh mysql-community-server-5.7.8-0.2.rc.fc21.x86_64.rpm

[root@lab1.mydbops.com ~]# rpm -ivh mysql-community-common-5.7.8-0.2.rc.fc21.x86_64.rpm

warning: mysql-community-common-5.7.8-0.2.rc.fc21.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 5072e1f5: NOKEY

Preparing… ################################# [100%]

Updating / installing…

1:mysql-community-common-5.7.8-0.2.################################# [100%]

[root@lab1.mydbops.com ~]# rpm -ivh mysql-community-libs-5.7.8-0.2.rc.fc21.x86_64.rpm

warning: mysql-community-libs-5.7.8-0.2.rc.fc21.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 5072e1f5: NOKEY

Preparing… ################################# [100%]

Updating / installing…

1:mysql-community-libs-5.7.8-0.2.rc################################# [100%]

[root@lab1.mydbops.com ~]# rpm -ivh mysql-community-client-5.7.8-0.2.rc.fc21.x86_64.rpm

warning: mysql-community-client-5.7.8-0.2.rc.fc21.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 5072e1f5: NOKEY

Preparing… ################################# [100%]

Updating / installing…

1:mysql-community-client-5.7.8-0.2.################################# [100%]

[root@lab1.mydbops.com ~]# rpm -ivh mysql-community-devel-5.7.8-0.2.rc.fc21.x86_64.rpm

warning: mysql-community-devel-5.7.8-0.2.rc.fc21.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 5072e1f5: NOKEY

Preparing… ################################# [100%]

Updating / installing…

1:mysql-community-devel-5.7.8-0.2.r################################# [100%]

[root@lab1.mydbops.com ~]# rpm -ivh mysql-community-server-5.7.8-0.2.rc.fc21.x86_64.rpm

warning: mysql-community-server-5.7.8-0.2.rc.fc21.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 5072e1f5: NOKEY

Preparing… ################################# [100%]

Updating / installing…

1:mysql-community-server-5.7.8-0.2.################################# [100%]

After installing the those rpm’s start the mysql using systemctl.

[root@lab1.mydbops.com ~]# service mysqld start

Redirecting to /bin/systemctl start mysqld.service

The password for the root has to be fetched from the MySQL log file (/var/log/mysqld.log )

Log Error :

2015-11-18T04:26:59.579992Z 0 [Warning] InnoDB: New log files created, LSN=45790

2015-11-18T04:27:00.007312Z 0 [Warning] InnoDB: Creating foreign key constraint system tables.

2015-11-18T04:27:00.264807Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: 9c686910-8dac-11e5-97a4-fcaa14bf47d3.

2015-11-18T04:27:00.304861Z 0 [Warning] Gtid table is not ready to be used. Table ‘mysql.gtid_executed’ cannot be opened.

2015-11-18T04:27:00.316300Z 0 [Warning] Failed to setup SSL

2015-11-18T04:27:00.316342Z 0 [Warning] SSL error: SSL context is not usable without certificate and private key

2015-11-18T04:27:00.317072Z 1 [Warning] A temporary password is generated for root@lab1.mydbops.com: db4=wlt(tdsI

2015-11-18T04:27:19.122724Z 0 [Note] InnoDB: PUNCH HOLE support available

2015-11-18T04:27:19.122772Z 0 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins

2015-11-18T04:27:19.122779Z 0 [Note] InnoDB: Uses event mutexes

2015-11-18T04:27:19.122785Z 0 [Note] InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier

2015-11-18T04:27:19.122790Z 0 [Note] InnoDB: Compressed tables use zlib 1.2.3

2015-11-18T04:27:19.122800Z 0 [Note] InnoDB: Using Linux native AIO

2015-11-18T04:27:19.123004Z 0 [Note] InnoDB: Number of pools: 1

2015-11-18T04:27:19.123080Z 0 [Note] InnoDB: Using CPU crc32 instructions

2015-11-18T04:27:19.128566Z 0 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M

………

………

2015-11-18T04:27:19.800293Z 0 [Note] Event Scheduler: Loaded 0 events

2015-11-18T04:27:19.800569Z 0 [Note] /usr/sbin/mysqld: ready for connections.

Version: ‘5.7.8-rc’ socket: ‘/var/lib/mysql/mysql.sock’ port: 3306 MySQL Community Server (GPL)

MySQL server will prompt for a password reset after the first login. It is mandatory.

mysql> \s
ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
mysql> alter user 'root'@'lab1.mydbops.com' identified by 'xxxxxxxx';
Query OK, 0 rows affected (0.06 sec)
mysql> \s

————–

mysql Ver 14.14 Distrib 5.7.8-rc, for Linux (x86_64) using EditLine wrapper

Connection id : 2

Current database :

Current user : root@lab1.mydbops.com

SSL : Not in use

Current pager : stdout

Using outfile : ”

Using delimiter : ;

Server version : 5.7.8-rc

Protocol version : 10

Connection : lab1.mydbops.com via UNIX socket

Server characterset : latin1

Db characterset : latin1

Client characterset : utf8

Conn. Characterset : utf8

UNIX socket : /var/lib/mysql/mysql.sock

Uptime : 2 min 39 sec

Threads: 1 Questions: 7 Slow queries: 0 Opens: 106 Flush tables: 1 Open tables: 99 Queries per second avg: 0.044

There is no test database in mysql 5.7 which was there until MySQL 5.6. Now we have sys (sys-schema) and additional tool to help DBA’s.

mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
4 rows in set (0.04 sec)

Empty Password :

By default you cannot create a user without a password in mysql 5.7. It shows error.

mysql> create user ‘mydbops_lab’@’lab1.mydbops.com’;

ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

The variables to control password policy.

mysql> SHOW VARIABLES LIKE ‘validate_password%’;

+--------------------------------------+--------+
| Variable_name | Value |
+--------------------------------------+--------+
| validate_password_dictionary_file | |
| validate_password_length | 8 |
| validate_password_mixed_case_count | 1 |
| validate_password_number_count | 1 |
| validate_password_policy | MEDIUM |
| validate_password_special_char_count | 1 |
+--------------------------------------+--------+

The password policy enforced by the validate_password plugin. This variable is unavailable unless that plugin is installed.

The validate_password_policy value can be specified using numeric values 0, 1, 2, or the corresponding symbolic values LOW, MEDIUM, STRONG. The following table describes the tests performed for each policy. For the length test, the required length is the value of the validate_password_length system variable. Similarly, the required values for the other tests are given by other validate_password_xxx variables.

Policy

Tests Performed

0 or LOW Length
1 or MEDIUM Length; numeric, lowercase/uppercase, and special characters
2 or STRONG Length; numeric, lowercase/uppercase, and special characters; dictionary file

By changing the default values you can create a user without password

mysql> set global validate_password_policy=LOW;

Query OK, 0 rows affected (0.04 sec)

mysql> set global validate_password_mixed_case_count=0;

Query OK, 0 rows affected (0.00 sec)

mysql> set global validate_password_number_count=0;

Query OK, 0 rows affected (0.00 sec)

mysql> set global validate_password_special_char_count=0;

Query OK, 0 rows affected (0.00 sec)

mysql> set global validate_password_length=0;

Query OK, 0 rows affected (0.00 sec)

#After resetting the variables

mysql> SHOW VARIABLES LIKE ‘validate_password%’;

+————————————–+——-+

| Variable_name | Value |

+————————————–+——-+

| validate_password_dictionary_file | |

| validate_password_length | 0 |

| validate_password_mixed_case_count | 0 |

| validate_password_number_count | 0 |

| validate_password_policy | LOW |

| validate_password_special_char_count | 0 |

+————————————–+——-+

mysql> create user ‘mydbops_lab’@’lab1.mydbops.com’;

Query OK, 0 rows affected (0.12 sec)

Now IF NOT EXISTS clause can supported for create, drop, alter the user also.

mysql> create user if not exists ‘mydbops_lab’@’lab1.mydbops.com’;

Query OK, 0 rows affected, 1 warning (1.97 sec)

mysql> show warnings;

+——-+——+—————————————–+

| Level | Code | Message |

+——-+——+—————————————–+

| Note | 3163 | User ‘mydbops_lab’@’lab1.mydbops.com’ already exists. |

+——-+——+—————————————–+

1 row in set (0.00 sec)

mysql> create user if not exists ‘host’@’lab1.mydbops.com’;

Query OK, 0 rows affected (0.09 sec)

mysql> drop user if exists ‘mydbops_lab’@’lab1.mydbops.com’;

Query OK, 0 rows affected (0.00 sec)

mysql> create user if not exists ‘mydbops_lab’@’lab1.mydbops.com’;

Query OK, 0 rows affected (0.00 sec)

The mysql.user.password filed is now changed to authentication_string for better describe the current usage.

Screen Shot 2015-12-21 at 9.57.24 AM

Extra added columns are

  • password_last_changed
  • password_lifetime
  • account_locked

password_last_changed – It shows the date and time of last changed password

password_lifetime – It shows the password expire time

account_locked – It shows whether the user is locked or not

Password Expiry :

All users in MySQL 5.7 has lifetime of only 365 days by default. After the expiry the user exists inside mysql but the access is restricted . The user ‘mydbops_lab’ has set the password_lifetime as 90 days

mysql> ALTER USER 'mydbops_lab'@'lab1.mydbops.com' PASSWORD EXPIRE INTERVAL 90 DAY;
mysql> select user,host,password_last_changed,password_lifetime,account_locked from mysql.user where user="mydbops_lab";
+------+-----------+-----------------------+-------------------+----------------+
| user | host | password_last_changed | password_lifetime | account_locked |
+------+-----------+-----------------------+-------------------+----------------+
| mydbops_lab | lab1.mydbops.com | 2015-11-18 15:59:14 | 90 | N |
+------+-----------+-----------------------+-------------------+----------------+

mysql> alter user ‘mydbops_lab’@’lab1.mydbops.com’ account lock;

mysql> select user,host,password_last_changed,password_lifetime,account_locked from mysql.user where user=”mydbops_lab“;

+——+———–+———————–+——————-+—————-+

| user | host | password_last_changed | password_lifetime | account_locked |

+——+———–+———————–+——————-+—————-+

|mydbops_lab | lab1.mydbops.com | 2015-11-18 15:59:14 | 90 | Y |

+——+———–+———————–+——————-+—————-+

Advertisements

One thought on “Security Enhancement in MySQL 5.7

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s