Hi, Regarding the installation guide for a Perfect Debian 10 server with ISPConfig: https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/ It asks to add the root password to /etc/mysql/debian.cnf But the file clearly states that it should not be modified by hand: # Automatically generated for Debian scripts. DO NOT TOUCH! In fact, it is already populated with a user called debian-sys-maint on my system. The system originates from Debian 7 but is now running Debian 10. I'm aware that the file is being used when installing RoundCube, but why not just pass in the credentials using -u and -p ? Instead of echo "CREATE DATABASE roundcube;" | mysql --defaults-file=/etc/mysql/debian.cnf we could do echo "CREATE DATABASE roundcube;" | mysql -u root -p Does ISPConfig rely on the changes outlined in the installation guide or can I skip this step and instead use the alternative approach I described? Also, from the comments I can see that some users are having problems figuring out installations problems, not realizing they specified an incorrect password in the file. So if the changes to the file is absolutely necessary, perhaps add a verification step afterwards: echo "SELECT 'OK';" | mysql --defaults-file=/etc/mysql/debian.cnf I'd appreciate some feedback to make sure I'm not causing problems by skipping the changes to /etc/mysql/debian.cnf. - Thanks
There is no bug in the guide. The difference between your server and the guide is that you don't have a fresh installed Debian 10 system. And this modification is not made for the roundcube installation. The debian-sys-maint user on your server originates from Debian 7 and if it is there, leave it as it is. On Debian 10 systems, there is no such user created anymore and that's why the guide tells you to enter the MySQl root password there, otherwise, you won't be able to install any Debian packages which use mysql anymore on a fresh installed Debian 10 after disabling the auto login for the shell root user.
Thanks @till, appreciate it. I would have guessed that packages were installed with MySQL being temporarily started with --skip-grant-tables. Relying on a configuration file with a root password in clear text just seems wrong. But I don't have knowledge about the inner workings of Debian, so I trust you know what you are talking about. If I understand this correctly, this is all the result of the authentication plugin being changed for root, right ? echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root Exactly where in the article do we rely on this later on? It seems we create a new user for PHPMyAdmin rather than using root.
No, that's not the case. No, that's absolutely fine as the only user who can read it is the Linux root user. When someone has already root access, he can do anything on this server. Btw, the sys-main user as used in older Debian versions has similar permissions to the root user and its username is stored, and must be stored, in cleartext as well. What the tutorial actually does is what all Debian versions until version 10 did automatically, so you never noticed it. Now this does not work anymore as the Debian devs decided that Mysql administration shall happen on the shell only by ssh, But that's not what most users want, they want to be able to use tools like phpmyadmin to administrate their mysql instance. yes Not in the article, we rely on this later to be able to use phpmyadmin as admin tool at all. Without that change, you won't be able to login as mysql root user with phpmyadmin. That's only for phpmyadmins internal tables to store settings etc.
Thanks @till, I really appreciate your thorough answers. I was more concerned with passwords ending up in poorly secured backups. But of course it doesn't matter if the password is for root or another privileged user, and in any case backups should be handled with care. Debian 10 seems to have introduced a few "breaking changes" this time.
