produce managed file with mysql root acces from salt module related to pillar root_password

[Sylvain303]

When you install this formula you may expect that the defined password for mysql's root on the managed server will be available on the salt master for mysql.module call:

salt 'db*' mysql.db_list

salt 'db*' mysql.user_create bob 10.0.0.3 pipo

# etc.

It requires to have setup in /etc/salt/minion as said in the doc above:

mysql.host: 'localhost'
mysql.port: 3306
mysql.user: 'root'
mysql.pass: 'S3retPass4root!'
mysql.db: 'mysql'
mysql.unix_socket: '/tmp/mysql.sock'
mysql.charset: 'utf8'

or

mysql.default_file: '/etc/mysql/debian.cnf'

I propose to use the second form in the file /root/.my.cnf

I accomplished a prototype here: server.sls

I will post more in this ticket about security. And sum up discussion in #salt IRC channel.

[Sylvain303]

Wouldn't leak the mysql root passwords?

Not more than in the pillar, nor in other place you may need to store it:

• root password is stored in debconf database as well, as seen in Adapt for MariaDB #43
• on debian, you can have root privileges with: mysql --defaults-file=/etc/mysql/debian.cnf mysql
• also by restarting the mysql server without grant tables:
• service mysql stop
• /usr/bin/mysqld_safe --skip-grant-tables

A person who has root on that box does not necessarily know the MySQL root password:
Drawback, it exposes root password to any root shell users.

A boolean in the pillar will be required to enable this feature.

(pillar suggestion)

mysql:
  server:
    enable_root_my_cnf: True

Any security suggestion are welcome.

[Sylvain303]

Other way to fetch mysql's root password with shell root access:

for admin knowing the pillar structure can be fetched on the minion:

salt-call config.get mysql:server:root_password

Also, the following confirms that debian-sys-maint user has all privileges on debian jessie, mariadb 10.0, here is the SQL query for creating this system user:

from: /var/lib/dpkg/info/mariadb-server-10.0.postinst

    replace_query=`/bin/echo -e \
        "USE mysql;\n" \
        "SET sql_mode='';\n" \
        "REPLACE INTO user SET " \
        "  host='localhost', user='debian-sys-maint', password=password('$pass'), " \
        "  Select_priv='Y', Insert_priv='Y', Update_priv='Y', Delete_priv='Y', " \
        "  Create_priv='Y', Drop_priv='Y', Reload_priv='Y', Shutdown_priv='Y', " \
        "  Process_priv='Y',  File_priv='Y', Grant_priv='Y', References_priv='Y', " \
        "  Index_priv='Y', Alter_priv='Y', Super_priv='Y', Show_db_priv='Y', "\
        "  Create_tmp_table_priv='Y', Lock_tables_priv='Y', Execute_priv='Y', "\
        "  Repl_slave_priv='Y', Repl_client_priv='Y', Create_view_priv='Y', "\
        "  Show_view_priv='Y', Create_routine_priv='Y', Alter_routine_priv='Y', "\
        "  Create_user_priv='Y', Event_priv='Y', Trigger_priv='Y',"\
        "  ssl_cipher='', x509_issuer='', x509_subject='';"`;

Which can be reseted, simply by:

GRANT ALL ON *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY 'password from debian.cnf' WITH GRANT OPTION;

[Sylvain303]

Another case where the password is visible, and could be hidden:

salt-call -ldebug state.apply mysql.database

can output

          ID: mysql_db_0_load
    Function: cmd.wait
        Name: mysql -u root -hlocalhost -psomepass foo < /etc/mysql/foo.schema
      Result: False
     Comment: One or more requisite failed: mysql.database.mysql_db_0_schema
     Started: 
    Duration: 
     Changes: