I noticed this strange behavior since upgrading from Virtualmin Pro 3.80 to 3.81.
Say I have the domain "example.com", it has the username example.com, which also is the MySQL username. The MySQL username has the same password as the Webmin/FTP username. So far so good.
Now, if someone changes a Mail user, for example "example.com_info", it appears that the main mysql user, "example.com", gets the password changed as well. This of course has very bad implications, causing the website to stop working.
Another proplem, which might be related: I noticed that on a domain normal Mail user gets the DB assigned. If I remove that DB from the user, the db stops working. Even thouhg it is assigned to the main user. Very strange. If I disable mysql login, reenable it and recreate the database, it gets reassigned to the mail user instead of the main user.
I think this should be fixed asap. Is this a bug, or is there some misconfiguration on my side? I didn't change anything after the upgrade to 3.81...
Comments
Submitted by Hal9000 on Fri, 10/22/2010 - 06:04 Comment #1
i temporarily set "Keep MySQL and administration passwords in sync?" to No, hopefully this will do as a workaround for the time being. MySQL password now gets changed even if a non-dministrator password gets changed, which is not good :)
Submitted by JamieCameron on Fri, 10/22/2010 - 12:19 Comment #2
What were the actual full usernames?
One possible cause is that MySQL only supports 16-character usernames, so if two users (the domain owner and someone else) both have usernames that start with the same 16 letters, something like this could happen.
Submitted by Hal9000 on Fri, 10/22/2010 - 12:48 Comment #3
holy cow. yeah, one domain is exactly 16 long, one even longer and is truncated. but still, i don't understand: if i change the password for 'verylongdomainname.tld_foo', why is the mysql user's 'verylongdomainna' password changed? isn't virtualmin supposed to know that I am not changing the administrator username's password, thus not bother to change mysql's password?
Submitted by Locutus on Fri, 10/22/2010 - 13:24 Comment #4
If I may... I hope what I say now is correct. :) Due to username truncation, "verylongdomainname.tld_foo" and "verylongdomainna" are, while different users in VM, identical users for MySQL. Specifying a too long username in MySQL password change statements will inevitably "hit the wrong person".
It is possible that VM does not take that into account, and when trying to change the password for the first, it unwittingly changes the password for the other, or in other words, for both.
Submitted by JamieCameron on Fri, 10/22/2010 - 13:53 Comment #5
So was the issue here that two different domains had the same first 16 characters, or was the conflict just between the domain owner and one of the mailboxes in the domain?
Submitted by Hal9000 on Fri, 10/22/2010 - 16:09 Comment #6
just between the domain owner and mailboxes in the same domain. sorry for putting the word "urgent" into this issue, but I am running Virtualmin Pro for over 2 years now and didn't have such a problem yet. now it's too late to change the username schema, my users would be pissed hehe...
but why does virtualmin even try to change the mysql password for a mailbox user? only the domain owner's user has a mysql username...
Submitted by Locutus on Fri, 10/22/2010 - 16:38 Comment #7
I can confirm that behavior.
I created a new domain "verylongdomainname.de" with an email user "verylongdomainname.de_test1". The latter did NOT get MySQL access. The corresponding MySQL user for the domain owner became "verylongdomainna".
Then I changed the password for the email user, and VMin changed the MySQL password as well.
My best guess is that the script performs a "update MySQL password" query for the email user, like "if he has MySQL access, he gets the new password; if not, the request just fails and we ignore that". Or something to that effect. Due to name truncation and corresponding name conflicts, the problem arises. Just a guess of course.
Submitted by JamieCameron on Fri, 10/22/2010 - 16:49 Comment #8
Yeah, that looks like what is happening .. which is a bug. I will look into a fix for this.
This doesn't happen in a default install, as the person's name part of the username comes first in the MySQL login .. so the names would be like verylongdomainname and bob-verylongdomainname.
Submitted by Hal9000 on Fri, 10/22/2010 - 17:00 Comment #9
waaaa i chose the worst style of usernames of them all and now i am so screwed haha... anyway, i hope that disabling the "Keep MySQL and administration passwords in sync" option will do as a workaround for now... i will test tomorrow, need sleep now :)
Submitted by JamieCameron on Sun, 10/24/2010 - 01:00 Comment #10
The next Virtualmin release (3.82) will fix this problem, but not incorrectly detecting that a mailbox has a MySQL login enabled when it is actually the domain that does..
Submitted by Issues on Sun, 11/07/2010 - 02:32 Comment #11
Automatically closed -- issue fixed for 2 weeks with no activity.