Skip to content

MariaDB PUBLIC role counted as remote user without SSL enforcement #936

Description

@v0UwUK6CmCrjVB1PAtRb

Summary

MySQLTuner appears to count the MariaDB PUBLIC role as a remote user without SSL enforcement.

This causes the following warning:

✘ 1 users can connect remotely without SSL enforcement

However, the only matching row is PUBLIC, which is a MariaDB role, not a normal login user.

Environment

MySQLTuner version: 2.8.45
MariaDB version: 11.8.8 LTS

Relevant MySQLTuner output

ℹ MariaDB Server - 11.8.8
ℹ User 'PUBLIC'@'' is User Role

Later in the same report:

✘ 1 users can connect remotely without SSL enforcement

Verification

Running the following query:

SELECT User, Host, ssl_type
FROM mysql.user
WHERE Host NOT IN ('localhost','127.0.0.1','::1')
AND ssl_type = '';

Returns:

+--------+------+----------+
| User   | Host | ssl_type |
+--------+------+----------+
| PUBLIC |      |          |
+--------+------+----------+

Checking real non-PUBLIC users:

SELECT User, Host, plugin, ssl_type
FROM mysql.user
WHERE User <> 'PUBLIC'
ORDER BY User, Host;

Returns only localhost users:

+----------------------+-----------+-----------------------+----------+
| User                 | Host      | plugin                | ssl_type |
+----------------------+-----------+-----------------------+----------+
| mariadb.sys          | localhost | mysql_native_password |          |
| mysql                | localhost | mysql_native_password |          |
| testusername         | localhost | mysql_native_password |          |
| root                 | localhost | mysql_native_password |          |
+----------------------+-----------+-----------------------+----------+

Expected behaviour

The SSL enforcement check should not count MariaDB roles, including PUBLIC, as remote users.

Since MySQLTuner already identifies:

User 'PUBLIC'@'' is User Role

it seems this role could be excluded from the later SSL enforcement warning.

Actual behaviour

MySQLTuner reports:

1 users can connect remotely without SSL enforcement

even though the only matching entry is the PUBLIC role.

Suggested fix

Exclude roles / PUBLIC from the SSL enforcement check, similar to how roles appear to already be detected elsewhere in the report.

Metadata

Metadata

Assignees

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions