MySQL is stunningly insecure right after installation. It has these two problems:
- The main administrative user “root” has no password set.
- There is a notion of an anonymous user, once again without any password. Essentially, anyone can log in and pretty much do anything.
The lockdown steps are mentioned in the documentation. Here is a summary.
First, log in as the root user.
mysql -u root
Switch to the mysql database.
Set a password for the root user.
UPDATE user SET Password = PASSWORD('some_pass') where user='root';
Set a password for the anonymous user. It has an empty user name.
UPDATE user SET Password = PASSWORD('some_pass') where user='';
Alternatively, you can even delete the anonymous user. I didn’t try this, but seems like a good idea.
delete from user where user='';
Finally, flush the changes so that changes are applied without a server restart.
You probably want to create a user that will be used by the applications to connect to the database. Here are the steps to add a user called “monty” with rights to access the “test” database.
use test; GRANT ALL PRIVILEGES ON *.* TO 'monty'@'%' IDENTIFIED BY 'some_pass' WITH GRANT OPTION;