Summary
MySQLTuner appears to count the MariaDB PUBLIC role as a remote user without SSL enforcement.
This causes the following warning:
✘ 1 users can connect remotely without SSL enforcement
However, the only matching row is PUBLIC, which is a MariaDB role, not a normal login user.
Environment
MySQLTuner version: 2.8.45
MariaDB version: 11.8.8 LTS
Relevant MySQLTuner output
ℹ MariaDB Server - 11.8.8
ℹ User 'PUBLIC'@'' is User Role
Later in the same report:
✘ 1 users can connect remotely without SSL enforcement
Verification
Running the following query:
SELECT User, Host, ssl_type
FROM mysql.user
WHERE Host NOT IN ('localhost','127.0.0.1','::1')
AND ssl_type = '';
Returns:
+--------+------+----------+
| User | Host | ssl_type |
+--------+------+----------+
| PUBLIC | | |
+--------+------+----------+
Checking real non-PUBLIC users:
SELECT User, Host, plugin, ssl_type
FROM mysql.user
WHERE User <> 'PUBLIC'
ORDER BY User, Host;
Returns only localhost users:
+----------------------+-----------+-----------------------+----------+
| User | Host | plugin | ssl_type |
+----------------------+-----------+-----------------------+----------+
| mariadb.sys | localhost | mysql_native_password | |
| mysql | localhost | mysql_native_password | |
| testusername | localhost | mysql_native_password | |
| root | localhost | mysql_native_password | |
+----------------------+-----------+-----------------------+----------+
Expected behaviour
The SSL enforcement check should not count MariaDB roles, including PUBLIC, as remote users.
Since MySQLTuner already identifies:
User 'PUBLIC'@'' is User Role
it seems this role could be excluded from the later SSL enforcement warning.
Actual behaviour
MySQLTuner reports:
1 users can connect remotely without SSL enforcement
even though the only matching entry is the PUBLIC role.
Suggested fix
Exclude roles / PUBLIC from the SSL enforcement check, similar to how roles appear to already be detected elsewhere in the report.
Summary
MySQLTuner appears to count the MariaDB
PUBLICrole as a remote user without SSL enforcement.This causes the following warning:
However, the only matching row is
PUBLIC, which is a MariaDB role, not a normal login user.Environment
Relevant MySQLTuner output
Later in the same report:
Verification
Running the following query:
Returns:
Checking real non-
PUBLICusers:Returns only localhost users:
Expected behaviour
The SSL enforcement check should not count MariaDB roles, including
PUBLIC, as remote users.Since MySQLTuner already identifies:
it seems this role could be excluded from the later SSL enforcement warning.
Actual behaviour
MySQLTuner reports:
even though the only matching entry is the
PUBLICrole.Suggested fix
Exclude roles /
PUBLICfrom the SSL enforcement check, similar to how roles appear to already be detected elsewhere in the report.