WL#7787: Extend Secure Deployment WLs to all other unixes
Affects: Server-5.7 — Status: Complete
Following secure deployment WLs were pushed in the MySQL 5.7.5 DMR. WL#6962 : Deployment: random passwords generated for unattended installs WL#6973 : Offer deployment without test db, test scripts or demofiles WL#6977 : Remove all anonymous accounts from all default deployments For this WLs, focus was RPMs for OEL. This WL is to extend similar work on all other unixes.
FR1 : For all unixes packages which do not prompt user for passwords, random password should be generated by default. FR2 : For all supported unixes platforms, a package without Test/Demo database(s), Test/Demo libraries, Test/Demo scripts or binaries should be provided. FR3 : For all supported unix platforms, anonymous user should not be created by default.
At present, repo RPMs for OEL for MySQL 5.7 satisfy all of the requirements mentioned in Functional Requirement section. In order to extend WL#6962, WL#6973 and WL#6977, packages for various platforms for MySQL 5.7 will support following: Note : It is assumed that for every OS, all supported processor architectures will be covered. I-1 : Packages will have structure similar to repo RPMs. E.g. they will be split into various sub-packages (viz. server, client, test, development, ... etc). - At present, packages for following OSes do not have desired structure: - Generic .tar.gz format for linux - SLES (Recently implemented as part of REPO work) - Solaris - OS X - FreeBSD - Packages for above mentioned OSes pack all binaries/scripts/libraries/files in a single package. - For debian, repo project has helped creating a structure similar to RPMs. However, if required, these packages will be updated as mentioned in WL#6973 description. - It would be good to make repo RPMs as reference point for splitting files into various sub packages. MySQL source contains this information in various scripts residing inside packaging and support-files directories. I-2.1 : By default, random password must be generated for root user for all packages that don't provide a better alternative (currently only the .deb packages can read the password from the user). The mysql_install_db was modified to generate random passwords by default and same is used for repo RPMs. All other packages which use --skip-random-passwords will stop using it so that random password generation happens by default, unless they can get the password from user directly. I-2.2 : For repo RPMs, mysql_secure_installation is run by default. This will be extended to all OSes mentioned in I-1. I-3 : As a part of WL#6977, mysql_install_db was modified to make sure that anonymous user account are not created. If any of the platforms have separate scripts/steps to generate such users after installation, such scripts/steps will be removed.
Copyright (c) 2000, 2023, Oracle Corporation and/or its affiliates. All rights reserved.