What is debian-sys-maint used for?
One major thing it is used for is telling the server to roll the logs. It needs at least the reload and shutdown privilege.
See the file /etc/logrotate.d/mysql-server
It is used by the /etc/init.d/mysql
script to get the status of the server. It is used to gracefully shutdown/reload the server.
Here is the quote from the README.Debian
* MYSQL WON'T START OR STOP?:
=============================
You may never ever delete the special mysql user "debian-sys-maint". This user
together with the credentials in /etc/mysql/debian.cnf are used by the init
scripts to stop the server as they would require knowledge of the mysql root
users password else.
What is the easiest way to restore it after I've lost it?
The best plan is to simply not lose it. If you really lose the password, reset it, using another account. If you have lost all admin privileges on the mysql server follow the guides to reset the root password, then repair the debian-sys-maint
.
You could use a command like this to build a SQL file that you can use later to recreate the account.
mysqldump --complete-insert --extended-insert=0 -u root -p mysql | grep 'debian-sys-maint' > debian_user.sql
Is the password in
/etc/mysql/debian.cnf already hashed
The password is not hashed/encrypted when installed, but new versions of mysql now have a way to encrypt the credentials (see: https://serverfault.com/a/750363).
Here is a sample configuration section that you can put in /etc/jailkit/jk_init.ini
so that future jail adds are seamless.
I used this section
[mysql-client]
comment = mysql client
executables = /usr/bin/mysql
paths = /usr/lib/libmysqlclient.so.16.0.0 , /usr/lib/libmysqlclient.so.16, /usr/lib/libstdc++.so.6,/usr/lib/libstdc++.so.6.0.13,/lib/libgcc_s.so.1
Seemed to work well, you may need to change some paths. jailkit MAY resolve the symlink paths on its own but i added both in case.
Two caveats
1) Users must use full mysql -h syntax (mysql -h basehostname database) since you do not have the mysql local sockets in the jail
2) Your mysql must be listening on the public interface so the jail can connect to it.
Best Answer
php-mysqlnd is the better choice. It is a drop-in replacement for the php-mysql extension. Here you can find more information about it.
Excerpt from the above-mentioned link:
The mysqlnd library is highly optimized for and tightly integrated into PHP. The MySQL Client Library cannot offer the same optimizations because it is a general-purpose client library.
The mysqlnd library is using PHP internal C infrastructure for seamless integration into PHP. In addition, it is using PHP memory management, PHP Streams (I/O abstraction) and PHP string handling routines. The use of PHP memory management by mysqlnd allows, for example, memory savings by using read-only variables (copy on write) and makes mysqlnd apply to PHP memory limits. Additional advantages include: