• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue Plesk Osidian Installation on Debian 10.9 creates MySQL/MariaDB-Root user root@localhost without password

J

JensKillus

New Pleskian
I've installed Plesk Obsidian 18.0.34 (Update 2) on a fresh Debian Server with Debian 10.9. No other software than OpenSSH was installed on the server. I've installed Plesk by the one click installer:

# sh <(curl https://autoinstall.plesk.com/one-click-installer || wget -O - https://autoinstall.plesk.com/one-click-installer)

When installation was complete I've noticed that in addition to the mySQL/MariaDB-Account admin@localhost which is used by Plesk for database access there was also ceated an account root@localhost with no password. This is a severe security flaw, because every shell user can log into the database server with full administrative privileges.
 
I didn't know that MariaDB comes with Plesk. Normally, it is installed on the operating system level before you start the Plesk installation. Plesk does not create a root user on MariaDB, and so far I have not seen MariaDB as a component of Plesk. Is that something new that can now be selected during installation?
 
Hi Peter. Debian moved from MySQL to MariaDB in Debian 9 "Stretch". In Debian package management MariaDB is marked as default MySQL server, so when Plesk installs MySQL, MaraiDB will be selected and installed. In Plesk component management there is no option for changing the type of MySQL server. Seems to me that the Debian postinstall script for MariaDB lacks the opportunity to secure the root account with a password and Plesk inherits this security flaw.
 
Are you sure that MariaDB ist installed with Plesk during the Plesk installation process? It seems to me that the database server is rather something that must pre-exist on the machine before you can do a Plesk installation on the machine. Isn't it rather necessary to install a password for the pre-existing database server in the database server independently from Plesk?
 
It's not a security risk, because this root user does use socket based auth, instead of a password - heck it's considered to be even more secure than using a password after all.

This behavior is also the default for any Debian 9 or 10 you install MariaDB on, regardless of Plesk or not.

It's also not true that "every shell user can logon"
Yes, you may be able to log into MariaDB without a password when you are logged in as root on your server - but that is the whole idea behind that socket based auth, isn't it?
 
Hello ChristophRo. Thanks for the clarification, your are right. I've checked this, MariaDB socket auth plugin is installed, so the missing password is not a security risk, because auth is bound to PAM.
 
You must log in or register to reply here.

Similar threads

F
Question Plesk Migrator Error: Access denied for user 'admin'@'127.0.0.1' (using password: YES)"
Replies
7
Views
437
Sebahat.hadzhi
Sebahat.hadzhi
davidds64
Question How to upgrade MariaDB to latest version with Plesk Obsidian on Alma Linux 9
Replies
5
Views
735
davidds64
davidds64
N
Resolved When is it possible to install PO on Debian 12 ??
Replies
8
Views
7K
pschneider1968
pschneider1968
U
Resolved Plesk autoinstall does not work on Debian i386 edition
Replies
2
Views
1K
Uwe
U
I
Issue maria DB update plesk 18.0.50
Replies
10
Views
4K
Maarten
M
Back
Top