2.8 Ensure Socket Peer-Credential Authentication is Used Appropriately

Information

The server-side unix_socket authentication plugin authenticates clients that connect to the MariaDB server from the local host through the Unix socket file. Users authenticated using unix_socket need not specify a password when connecting to the server. However, users authenticated by the unix_socket plugin are restricted from connecting remotely; they can only connect from the local host through the Unix socket file. This method is only suitable in situations where the server administrator OS account access is restricted.

Rationale:

This method may be desirable in specific cases, including:

The Linux system where MariaDB is running is dedicated to the MariaDB server and only the MariaDB DBA and OS Admin have access.

When control over user authentication is centralized in the operating system.

It is desirable that audit trails in the database and operating system can use the same user names.

For certain other narrow installation use cases unix_socket may be desirable.

Only local connections for a user.

Impact:

Things to consider when using the operating system to authenticate users:

The user must have an operating system account on the computer which must be accessed.

If a user has logged in using this method and steps away from the terminal, another user could easily log in because this user does not need any passwords or credentials. This could pose a serious security problem.

When an operating system is used to authenticate database users, managing distributed database environments and database links requires special care. Special care must also be taken not to leave such a terminal unlocked and unattended. Hence, we recommend that you carefully evaluate your requirements before opting for unix_socket.

This will not work where distributed connections are required.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

If the plugin is active and you need to disable it in your environment, add the following option under the [mysqld] option group in your MariaDB configuration file, then restart MariaDB:

unix_socket=OFF

If the plugin is disabled but you seek to use it, ensure the following option is set under the [mysqld] option group in your MariaDB configuration file, then restart MariaDB:

unix_socket=ON

To enable an OS user to login to MariaDB using unix_socket, include 'unix_socket' as an authentication plugin in your IDENTIFIED VIA clause of CREATE USER commands. For example, run:

CREATE USER '<user>'@'localhost' IDENTIFIED VIA unix_socket;

The user can then login using:

mysql -u <user>

Default Value:

The unix_socket plugin is ON by default.

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-8

Plugin: Unix

Control ID: 92268ccedc685fe014d1e121f416a4e9a2549733e59b0a1694f37605ce263cbe