Basic question about bash permissions

Question

Basic question about bash permissions

I am running OS 10.14.6 on a 2013 MacBook Pro.

Sometimes when I am in Terminal, and issue a command that I think I should be allowed to do, the system asks for a password, so I use my Mac user password on this machine. It then responds with a access denied message.

I am the owner and sole user of this machine, so my understanding is I am also the 'System Administrator' (for lack of a better term). I know I'm not supposed to try to log in as 'root' and I wouldn't want to.

For instance (from inside of a MySQL sub-folder named mysql-connector-python-8.0.20), I have my bash prompt set to "sub-folder-name: "

I do the following and enter my account user password on this machine:

mysql-connector-python-8.0.20: mysql -u root -p

Enter password:

ERROR 1698 (28000): Access denied for user 'root'@'localhost'

mysql-connector-python-8.0.20:

However, if I change the command to the following:

mysql-connector-python-8.0.20: sudo mysql -u root -p

Password:

Enter password:

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MariaDB connection id is 38

Server version: 10.4.12-MariaDB Homebrew

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

At the first Password: prompt I enter my account user password

At the second Enter Password: prompt I enter my MySQL password.

This works of course, but it just seems a bit tedious and unnecessary given what I'm trying to do. Many times I manage to fat-finger one of the two passwords and I'm never sure which one.

Can I modify some permissions somewhere so that I don't have to go thru this?

MacBook Pro 15", macOS 10.14

Posted on May 13, 2020 1:42 PM

Reply

Answer 1

Top-ranking reply

Barney-15E

Level 10

116,416 points

May 13, 2020 3:08 PM in response to Claude Crider

bash has nothing to do with the underlying POSIX permissions.

From your examples, it appears the mysql wants the user who attempts to log into the root account have elevated privileges.

In your second attempt, you used sudo to elevate your privileges, and then logged into mysql.

You'd have to ask mysql if there is a way to log into the root account without elevated privileges.

Why not just create another mysql user that has admin privileges on the mysql server. I don't know if that will solve the requirement for sudo, but perhaps it will.

Reply

Answer 2

BobHarris

Level 9

55,049 points

May 13, 2020 4:08 PM in response to Claude Crider

Under the covers the mysql code is either using "ssh root@localhost", or using the 'su' command to become the 'root' users (the almost ultimate privileged user on any Unix based operating system).

Since macOS ships with the root account password disabled (for VERY GOOD REASON, as it is a huge security hole), you will never succeed in entering a password for root.

When you use 'sudo' the command that follows sudo is run as 'root', so it does not need to enter the 'root' password because it is already 'root' and mysql is happy.

I very strongly suggest you never ever give 'root' a valid password. That is just asking for security troubles as there are script kiddies on the internet constantly probing systems to see if 'root' will respond to common passwords.

Reply

Answer 3

Barney-15E

Level 10

116,416 points

May 13, 2020 4:31 PM in response to BobHarris

Under the covers the mysql code is either using "ssh root@localhost", or using the 'su' command to become the 'root' users (the almost ultimate privileged user on any Unix based operating system).

It's not the same root. mysql has a root account, similar in nature to the root account in unix.

Reply

Answer 4

etresoft

Level 9

50,800 points

May 13, 2020 4:48 PM in response to Claude Crider

Those are two different passwords. When you get the prompt that says just "Password:", that is the sudo command. It wants your account password. If your account is an administrator account, then it runs the command.

The next prompt is "Enter password:". That is completely separate and is part of MySQL. Since you are running mysql with "-u root" it wants the password for the MySQL "root" account, which is completely different from the "root" on the Mac.

It sounds like you are entering your user account password for both, that's why it only works with sudo. If you aren't using sudo, then all you need to provide is the MySQL root account password.

Reply

Answer 5

May 14, 2020 7:12 AM in response to Barney-15E

Thanks Barney!

I was just trying to learn whether or not I could skip that first password every time I use MySQL, and get in by only having to enter the MySQL password. Apparently I cannot. At least now I know why.

And God forbid that anyone should ever attempt to become bash root. ;-)

Reply

Answer 6

May 18, 2020 11:28 AM in response to Barney-15E

I've spent the last 4 days brushing up on Unix. I have 3 elementary books that don't really talk too much about sudo. I'm thinking what I need is 'the unix encyclopedia', Do you have any suggestions either online or text book wise. I think that would be better than wasting any more of the experts time since I have a problem that is all mangled up between Unix, Python and MySQL.

Any advice is appreciated.

Reply

Answer 7

BobHarris

Level 9

55,049 points

May 18, 2020 11:57 AM in response to Claude Crider

man sudo

sudo allows you to execute a command as if you were another user. The 99.44% usage is for that other use to be 'root' the all powerful account that every Unix system has.

sudo checks to see if you are allowed to run sudo by looking in the /etc/sudoers file. The user could be explicitly specified as being allowed to use the sudo command or the user could belong to a group that is allowed to use sudo. On the Mac most users are members of the admin group, which is setup in the macOS /etc/sudoers file.

For authentication, the sudo command makes sure that you are you, by making you enter your account's password, so that if you walked away from your computer and someone walked up and tried to execute a sudo command, they would not know your account password.

On original Unix systems the 'root' user could do absolutely anything. Over the years that has been pared back a bit, and especially with macOS where there are many things that even 'root' is not allowed to do, unless the Mac is booted into a special mode, like when your Mac reboots to install system updates.

Apple found that support costs went up a great deal when users started playing with the 'root' account, either by enabling it, or by using the sudo command. macOS locks down a lot of things so that users cannot shot-themselves-in-the-foot.

Final comment. If you are going to play with sudo or the root account, then make sure you have regular backups, because eventually you will make a mistake and turn your Mac into an overpriced doorstop. I'm speaking from experience. Not with Mac, but with multi-million dollar computer systems where I had administrator privileges. That is the kind of thing that sticks with you. In one instance, I had backups. In the other instance, it was the backups I messed up.