Search code examples
phpcentosmariadbselinuxadminer

"Permission denied" error from Adminer with root@localhost

I'm trying to use Adminer to connect to MariaDB database, but I get "Permission denied" error when I press the Login-button. Note that this is NOT "Access denied" which I'd expect if e.g. password is wrong.

This is my first time using MariaDB, and I'm also quite new to CentOS, do I'm unsure of what is wrong here. Some debugging and settings about my system is listed below.

Connecting to MariaDB from PHP does work, e.g. with this test script:

<?php
$db = mysqli_connect('127.0.0.1','root','mypassword')
  or die(mysqli_error());
var_dump($db);

Using mysql -h 127.0.0.1 -u root -p from console also works, and also netstat confirms that mysqld is listening:

$ sudo netstat -tlpn | grep mysqld
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      16428/mysqld

MariaDB Grants:

MariaDB [(none)]> show grants;
+--------------------------------------------------------------------------------------------------+
| Grants for root@localhost                                                                        |
+--------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD '...' WITH GRANT OPTION |
| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION                                    |
+--------------------------------------------------------------------------------------------------+

Settings in Adminer:

System: MySQL
Server: 127.0.0.1
Username: root
Password: mypassword
Database: (none)

My system:

CentOS 7
Apache 2.4.6
PHP 5.4.16
MariaDB 10.1.16
Adminer 4.2.5
Solution

  • Main reason for this is wrong SELinux setting, but there is also a critical MariaDB bug affecting this.

    SELinux has boolean httpd_can_network_connect_db which defines whether HTTP server scripts and modules can connect to database server or not. This defaults to off:

    $ getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off

    Turning this on and restarting* Apache allows connecting from Adminer using Server: 127.0.0.1:

    sudo setsebool -P httpd_can_network_connect_db on
sudo systemctl restart httpd

    *) I'm not sure whether restart is really required.

    Interestingly trying to connect using Server: localhost still doesn't work. This is because of a critical bug in MariaDB 10.1.16 concerning SELinux contexts: MDEV-10405 & MDEV-10404

    Work-around for this bug is to disable NoNewPrivileges=true setting.

    Create file /etc/systemd/system/mariadb.service.d/myfix.conf:

    # temporary fix for bug https://jira.mariadb.org/browse/MDEV-10404
[Service]
NoNewPrivileges=false

    And then run:

    sudo systemctl daemon-reload
sudo systemctl restart mariadb