The account "debian-sys-maint" in Debian mysql/mariadb is important to maintain the DB system function normally. It needs full administrative privileges, as some people has discussed in What is the debian-sys-maint MySQL user (and more)?.
But recently we were audited by our officers. One of the security issue the auditors pointed out is that, in a database, there should be only one account with the full administrative privileges to access the whole database. Further, this account should not be a special name that everybody can guess. Thus, the auditors seriously questioned about the "debian-sys-maint" account in our mariadb. They suggested us to remove it, or rename it, provided that there is no other accounts with administrative privileges.
My question is, is it possible to have another account to replace "debian-sys-maint" ? I saw that in /etc/mysql/debian.cnf:
[client]
host = localhost
user = debian-sys-maint
password = ****************
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = debian-sys-maint
password = ****************
socket = /var/run/mysqld/mysqld.sock
basedir = /usr
It looks like that this special account can be changed to the other name, as long as if we set the account name and password correctly in the "user" and "password" parameters in debian.cnf, and create that account in mariadb with the command:
CREATE USER '<username>'@'localhost' IDENTIFIED BY '<password>';
GRANT ALL PRIVILEGES ON *.* TO '<username>'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
And finally remove all the other administrative accounts. Then everything will work just fine, including start/stop mariadb, upgrade mariadb by dpkg system, .... etc. There is no risk of database damage in future upgrade. Am I right ?
Thanks for your answer in advance.
T.H.Hsieh
[Update]
Thank you very much for your responses. Unfortunately changing our auditors is not possible, because they were assigned directly by our government. I guess that they know some basics of general databases, but not the details. And also possible that this is the first time we were audited. We might revealed too many unnecessary aspects and leaded them to more questions.
In any case, for an experiment, we got a "white-mouse" system, Debian-11.8, with the system "debian-sys-maint" account replaced by the other one, following the procedures I have posted. We will test whether the system could run well or not, for at least more than half or one years. During this period we expect that we will have several chances of reboot, recover from losing of power, and upgrade.
In the meanwhile, we will respond the auditor the necessity of the "debian-sys-maint" in the system. We probably need the "official" document of explanation of that account, either from Debian or from Mariadb. Could you please point out where could I found this official document?
Thank you.
T.H.Hsieh
[Update]
I tested creating an account in mariadb, with the full administrative privileges, and identified via unix_socket, to replace the "root" or "debian-sys-maint" accounts. This account should also exists in Linux account as a normal user. But this way it cannot work in Debian maintenance system.
For example, when doing
/etc/init.d/mariadb reload
the script will read /etc/mysql/debian.cnf to get the credential for the administrative account. It needs "root" privilege. But if I run this command with "root" account, I cannot login into mariadb as the administrative account, because it is identified via unix_socket.
Therefore, if we want to play this trick, this administrative account should be created with password identification, and put the account name and password into /etc/mysql/debian.cnf.
We will continue this test to see whether there are other side effects.
T.H.Hsieh
