The debian-sys-maint MySQL user is a special system account created by Debian/Ubuntu package maintainers to perform essential database maintenance tasks. This includes:
- Service control (start/stop/restart MySQL through init scripts)
- Table maintenance operations during package upgrades
- Database schema migrations
When you restore a production database (from non-Debian systems) that includes the mysql.user table, you effectively overwrite this critical system user. The symptoms appear when trying to manage the MySQL service:
sudo service mysql restart
* Stopping MySQL database server: mysqld
...fail!
error: 'Access denied for user 'debian-sys-maint'@'localhost' (using password: YES)'To recreate the user with correct privileges, first locate the credentials in /etc/mysql/debian.cnf:
[client]
host = localhost
user = debian-sys-maint
password = [RANDOM_PASSWORD]
socket = /var/run/mysqld/mysqld.sockThen execute these SQL commands (use the password from debian.cnf):
CREATE USER 'debian-sys-maint'@'localhost' IDENTIFIED BY '[PASSWORD_FROM_CNF]';
GRANT ALL PRIVILEGES ON *.* TO 'debian-sys-maint'@'localhost'
WITH GRANT OPTION;
FLUSH PRIVILEGES;While the package defaults to ALL PRIVILEGES, you can reduce this to:
GRANT RELOAD, SHUTDOWN, PROCESS, SHOW DATABASES,
SUPER, REPLICATION CLIENT ON *.* TO 'debian-sys-maint'@'localhost';The password in debian.cnf is stored in plaintext - this is necessary because the init scripts need to read it. When recreating the user, use the plaintext version with IDENTIFIED BY (not the hashed form).
When transferring databases between systems:
mysqldump --ignore-table=mysql.user --skip-triggers production_db > dump.sqlFor existing development environments, consider creating a synchronization script that preserves system users while merging application users.
The debian-sys-maint MySQL user is a special administrative account created automatically when MySQL is installed via Debian or Ubuntu packages. This account is primarily used by system maintenance scripts to perform critical operations like:
- Restarting the MySQL service
- Checking server status
- Performing package upgrades
- Running maintenance tasks during system updates
When you restore a production database dump that includes the mysql.user table from a non-Debian system, the debian-sys-maint user gets overwritten, leading to service management failures:
sudo service mysql restart
Stopping MySQL database server: mysqld...failed.
error: 'Access denied for user 'debian-sys-maint'@'localhost' (using password: YES)'
Here's how to properly recreate the user when lost:
- Find the credentials in
/etc/mysql/debian.cnf:[client] host = localhost user = debian-sys-maint password = [the_password_here] socket = /var/run/mysqld/mysqld.sock - Connect to MySQL as root and recreate the user:
CREATE USER 'debian-sys-maint'@'localhost' IDENTIFIED BY '[password_from_debian.cnf]';
While the default installation grants extensive privileges, you can use this more secure set:
GRANT RELOAD, PROCESS, SHUTDOWN, CREATE TEMPORARY TABLES,
LOCK TABLES, REPLICATION CLIENT ON *.*
TO 'debian-sys-maint'@'localhost';
FLUSH PRIVILEGES;
The password in debian.cnf is plaintext - you must use it as-is when recreating the user. MySQL will automatically hash it during user creation.
When transferring databases between systems:
- Always exclude the mysql.user table:
mysqldump --ignore-table=mysql.user db_name > dump.sql - Or explicitly exclude just the debian-sys-maint user:
mysqldump --ignore-table=mysql.user db_name > dump.sql mysqldump mysql user --where="User!='debian-sys-maint'" >> dump.sql
Some system administrators prefer to:
- Edit the init scripts to use root instead
- Create a separate maintenance user with minimal privileges
- Use sudo rules for specific mysqladmin commands
However, modifying the default Debian/Ubuntu setup may complicate future package updates and isn't generally recommended.