I have been bitten several times by the 'debian-sys-maint' user that is installed by default on the mysql-server packages installed from the Ubuntu repositories.
Generally what happens is I pull a fresh copy of our production database (which is not running on Debian/Ubuntu) for troubleshooting or new development and forget to exclude the mysql.user table hence losing the debian-sys-maint user.
If we add new mysql users for whatever reason, I have to 'merge' these into my development environment as opposed to just overlaying the table.
Without the user my system still seems functional, but plagued with errors such as:
sudo /etc/init.d/mysql restart
Stopping MySQL database server: mysqld...failed.
error: 'Access denied for user 'debian-sys-maint'@'localhost' (using password: YES)'
- What is debian-sys-maint used for?
- Is there a better way for the package maintainers to do what they're trying to do?
- What is the easiest way to restore it after I've lost it?
- What is the correct/minimal set of privileges for this user?
- Seems like poor idea to 'grant all privileges on *.* …'
Edit
Additional question – Is the password in /etc/mysql/debian.cnf already hashed or is this the plaintext password? It matters when you go to recreate the user and I never seem to get it right on the first try.
Thanks
Best Answer
One major thing it is used for is telling the server to roll the logs. It needs at least the reload and shutdown privilege.
See the file /etc/logrotate.d/mysql-server
It is used by the
/etc/init.d/mysql
script to get the status of the server. It is used to gracefully shutdown/reload the server.Here is the quote from the README.Debian
The best plan is to simply not lose it. If you really lose the password, reset it, using another account. If you have lost all admin privileges on the mysql server follow the guides to reset the root password, then repair the
debian-sys-maint
.You could use a command like this to build a SQL file that you can use later to recreate the account.
The password is not hashed/encrypted when installed, but new versions of mysql now have a way to encrypt the credentials (see: https://serverfault.com/a/750363).