Ubuntu – thesql root password – where should it be stored

What is debian-sys-maint used for?

One major thing it is used for is telling the server to roll the logs. It needs at least the reload and shutdown privilege.

See the file /etc/logrotate.d/mysql-server

It is used by the /etc/init.d/mysql script to get the status of the server. It is used to gracefully shutdown/reload the server.

Here is the quote from the README.Debian

* MYSQL WON'T START OR STOP?:
=============================
You may never ever delete the special mysql user "debian-sys-maint". This user
together with the credentials in /etc/mysql/debian.cnf are used by the init
scripts to stop the server as they would require knowledge of the mysql root
users password else.

What is the easiest way to restore it after I've lost it?

The best plan is to simply not lose it. If you really lose the password, reset it, using another account. If you have lost all admin privileges on the mysql server follow the guides to reset the root password, then repair the debian-sys-maint.

You could use a command like this to build a SQL file that you can use later to recreate the account.

mysqldump --complete-insert --extended-insert=0 -u root -p mysql | grep 'debian-sys-maint' > debian_user.sql

Is the password in /etc/mysql/debian.cnf already hashed

The password is not hashed/encrypted when installed, but new versions of mysql now have a way to encrypt the credentials (see: https://serverfault.com/a/750363).

Threre is no rotation, because you are using -d option. From manual:

-d Turns on debug mode and implies -v. In debug mode, no changes will be made to the logs or to the logrotate state file.

I have two suggestions:

• Upgrade OS to x86_64 if possible, because you have 2,5GB memory limit per process
• Don't use -pPassword parameter with mysql for security reasons, it's better to use --defaults-extra-file=path_to_extra, which is readable only by root. When somebody, who has access to server execute ps -ef | grep mysql, it will see root password for database.

Here is my logrotate /etc/logrotate.d/mysql script for mysql on CentOS 5 (mysql Ver 14.12 Distrib 5.0.77, for redhat-linux-gnu (x86_64) using readline 5.1):

# If the root user has a password you have to create a
# /.my.cnf configuration file with the following
# content:
#
# [mysqladmin]
# password = <secret>
# user = <username>
#
# where "<secret>" is the password and <username> is user.
#
# ATTENTION: This /.my.cnf should be readable ONLY
# for root !
/var/log/mysqld.log {
        create 640 mysql mysql
        notifempty
        missingok
        postrotate
                # just if mysqld is really running
                if test -x /usr/bin/mysqladmin && \
                   /usr/bin/mysqladmin --defaults-extra-file=/root/mysql/logrotate.cnf ping &>/dev/null
                then
                   /usr/bin/mysqladmin --defaults-extra-file=/root/mysql/logrotate.cnf flush-logs
                fi
                /usr/bin/chcon -u system_u -r object_r -t mysqld_log_t /var/log/mysqld.log
        endscript
}