1

I never thought about this before. I use a password manager for all my accounts (web/server-admin/etc).

But today I was reading about installing a Nextcloud in a Debian server, and it's stated:

You should save your MariaDB root username and password in a .my.cnf file, as this will enable you to log in to MariaDB and execute SQL commands without a password prompt.

@ How to Install Nextcloud 12 Server on Debian 9 with HTTPS

Should I?

Looking for an answer to this question, I found this: mysql root password - where should it be stored?, where they imply this is a normal situation.

I already ran the mysql_secure_installation script. So, the root password is already changed. Should I put this password in this /root/.my.cnf file?

Is there more information about this somewhere? I find it really difficult to believe: storing password in plain text in my server seems a very bad idea to me.

Update: I think it wasn't clear enough. My mistake. So, I would like to clarify: I'm not logged in into my server as root. In fact, it is disabled, I have my user within the sudoers group. And I create a user database for each database I'm creating within the server. As I already stated: I ran the script to secure the database.

f-spin
  • 23
  • 6
  • 2
    You shouldn't work as root for DB admin tasks to begin with... – Sven Jan 10 '18 at 15:45
  • @Sven I think i was not clear enough. My apologies. But no, I'm not working on it as root. Nor as a root user, nor do I use my databases as root user. – f-spin Jan 10 '18 at 15:59
  • In that case, doing this is useless anyway. This file gets read if you start `mysql` as root. If you start it as another user, e.g. `fspin`, the file would need to be `~/fspin/.my.cnf`. – Sven Jan 10 '18 at 16:02

3 Answers3

2

I'd personally consider it bad advice, for a variety of reasons.

  • You usually shouldn't be in as root.
  • Even if you were, you usually shouldn't be in as MySQL's root.
  • Even if you were, you should be using a password manager or a SQL client that supports secure saving of passwords instead.

The convenience here isn't worth the security tradeoffs, and is only convenient if you've already done some other insecure practices anyways.

ceejayoz
  • 32,469
  • 7
  • 81
  • 105
  • The password manager is only a place to store my passwords. As I have several experiments running on different servers with different databases, I just store all my passwords there, @ceejayoz. Otherwise I would not be able to remember all this passwords. – f-spin Jan 10 '18 at 16:07
  • @f-spin Yeah, a good password manager is invaluable. I'm glad your gut feeling was "noooooope" when you read that tutorial's advice, and I'm glad you ignored it's advice to run as root. – ceejayoz Jan 10 '18 at 16:27
1

You can store the root password elsewhere, you normal password manager seems a useful place, and simply enter it whenever you need to log in as the MariaDB root user, which is probably not all that frequently once the database server has been configured.

I don't know if MariaDB is compatible with the MySQL feature to store your credentials encrypted with the MySQL config Editor in a ~/.mylogin.cnf but that might be one option if you do want to store passwords on the server.

Alternatively enabling the plugin for socket authentication for the root user (or your own user), where MariaDB trusts operating system credentials received over the socket and does not rely on a password (either submitted or stored in a plain text file) might be an option.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
-1

Personally, I'd always heir on the side of caution and only do that in cases where you don't mind if the information that's supposed to be secured by the password is insecure or otherwise completely destroyed by a malicious user.

Justa Guy
  • 189
  • 4