Auth Plugin Unix Socket
From: https://mariadb.com/kb/en/authentication-plugin-unix-socket/ 





Authentication Plugin - Unix Socket

MariaDB starting with 10.4.3
In MariaDB 10.4.3 and later, the unix_socket authentication plugin is
installed by default, and it is used by the 'root'@'localhost' user account
by default. See Authentication from MariaDB 10.4 for more information.

The unix_socket authentication plugin allows the user to use operating
system credentials when connecting to MariaDB via the local Unix socket
file. This Unix socket file is defined by the socket system variable.

The unix_socket authentication plugin works by calling the getsockopt system
call with the SO_PEERCRED socket option, which allows it to retrieve the uid
of the process that is connected to the socket. It is then able to get the
user name associated with that uid. Once it has the user name, it will
authenticate the connecting user as the MariaDB account that has the same
user name.

The unix_socket authentication plugin is not suited to multiple Unix users
accessing a single MariaDB user account.




Security
A unix_socket authentication plugin is a passwordless security mechanism.
Its security is in the strength of the access to the Unix user rather than
the complexity and the secrecy of the password. As the security is different
from passwords, the strengths and weaknesses need to be considered, and
these aren't the same in every installation.




Strengths





Weaknesses
The strength of a unix_socket authentication plugin is effectively the
strength of the security of the Unix users on the system. The Unix user
default installation in most cases is sufficiently secure, however, business
requirements or unskilled management may expose risks. The following is a
non-exhaustive list of potential Unix user security issues that may arise.


In some of these scenarios a database password may prevent these security
exploits, however it will remove all the strengths of the unix_socket
authentication plugin previously mentioned.




Disabling the Plugin
MariaDB starting with 10.4.3
In MariaDB 10.4.3 and later, the unix_socket authentication plugin is
installed by default, so if you do not want it to be available by default on
those versions, then you will need to disable it.

The unix_socket authentication plugin is also installed by default in new
installations that use the .deb packages provided by Debian's default
repositories in Debian 9 and later and Ubuntu's default repositories in
Ubuntu 15.10 and later, so if you do not want it to be available by default
on those systems when those packages are used, then you will need to disable
it. See Differences in MariaDB in Debian (and Ubuntu) for more
information.

The unix_socket authentication plugin can be disabled by starting the
server with the unix_socket option set to OFF. This can be specified as a
command-line argument to mysqld or it can be specified in a relevant server
option group in an option file. For example:
	[mariadb]
...
unix_socket=OFF

As an alternative, the unix_socket option can also be set to OFF by pairing
the option with the disable option prefix. For example:
	[mariadb]
...
disable_unix_socket




Installing the Plugin
MariaDB starting with 10.4.3
In MariaDB 10.4.3 and later, the unix_socket authentication plugin is
installed by default, so this step can be skipped on those versions.

The unix_socket authentication plugin is also installed by default in new
installations that use the .deb packages provided by Debian's default
repositories in Debian 9 and later and Ubuntu's default repositories in
Ubuntu 15.10 and later, so this step can be skipped on those systems when
those packages are used. See Differences in MariaDB in Debian (and Ubuntu)
for more information.

In other systems, although the plugin's shared library is distributed with
MariaDB by default as auth_socket.so, the plugin is not actually installed
by MariaDB by default. There are two methods that can be used to install the
plugin with MariaDB.

The first method can be used to install the plugin without restarting the
server. You can install the plugin dynamically by executing INSTALL SONAME
or INSTALL PLUGIN. For example:
	INSTALL SONAME 'auth_socket';

The second method can be used to tell the server to load the plugin when it
starts up. The plugin can be installed this way by providing the --plugin
-load or the --plugin-load-add options. This can be specified as a command
-line argument to mysqld or it can be specified in a relevant server option
group in an option file. For example:
	[mariadb]
...
plugin_load_add = auth_socket




Uninstalling the Plugin
You can uninstall the plugin dynamically by executing UNINSTALL SONAME or
UNINSTALL PLUGIN. For example:
	UNINSTALL SONAME 'auth_socket';

If you installed the plugin by providing the --plugin-load or the --plugin
-load-add options in a relevant server option group in an option file, then
those options should be removed to prevent the plugin from being loaded the
next time the server is restarted.




Creating Users
To create a user account via CREATE USER, specify the name of the plugin in
the IDENTIFIED VIA clause. For example:
	CREATE USER username@hostname IDENTIFIED VIA unix_socket;

If SQL_MODE does not have NO_AUTO_CREATE_USER set, then you can also create
the user account via GRANT. For example:
	GRANT SELECT ON db.* TO username@hostname IDENTIFIED VIA unix_socket;




Switching to Password-based Authentication
Sometimes Unix socket authentication does not meet your needs, so it can be
desirable to switch a user account back to password-based authentication.
This can easily be done by telling MariaDB to use another authentication
plugin for the account by executing the ALTER USER statement. The specific
authentication plugin is specified with the IDENTIFIED VIA clause. For
example, if you wanted to switch to the mysql_native_password authentication
plugin, then you could execute:
	ALTER USER root@localhost IDENTIFIED VIA mysql_native_password;
SET PASSWORD = PASSWORD('foo');

Note that if your operating system has scripts that require password-less
access to MariaDB, then this may break those scripts. You may be able to fix
that by setting a password in the [client] option group in your /root/.my.cnf
option file. For example:
	[client]
password=foo




Client Authentication Plugins
The unix_socket authentication plugin does not require any specific client
authentication plugins. It should work with all clients.




Support in Client Libraries
The unix_socket authentication plugin does not require any special support
in client libraries. It should work with all client libraries.




Example
	$ mysql -uroot
MariaDB []> CREATE USER serg IDENTIFIED VIA unix_socket;
MariaDB []> CREATE USER monty IDENTIFIED VIA unix_socket;
MariaDB []> quit
Bye
$ whoami
serg
$ mysql --user=serg
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.2.0-MariaDB-alpha-debug Source distribution
MariaDB []> quit
Bye
$ mysql --user=monty
ERROR 1045 (28000): Access denied for user 'monty'@'localhost' (using
password: NO)

In this example, a user serg is already logged into the operating system and
has full shell access. He has already authenticated with the operating
system and his MariaDB account is configured to use the unix_socket
authentication plugin, so he does not need to authenticate again for the
database. MariaDB accepts his operating system credentials and allows him to
connect. However, any attempt to connect to the database as another
operating system user will be denied.




Versions




VersionStatusIntroduced

1.0StableMariaDB 10.0.11

1.0BetaMariaDB 5.2.0






Options


unix_socket





See Also