Basic Lockdown of MySQL

MySQL is stunningly insecure right after installation. It has these two problems:

  1. The main administrative user “root” has no password set.
  2. There is a notion of an anonymous user, once again without any password. Essentially, anyone can log in and pretty much do anything.

The lockdown steps are mentioned in the documentation. Here is a summary.

First, log in as the root user.

mysql -u root

Switch to the mysql database.

use mysql;

Set a password for the root user.

UPDATE user SET Password = PASSWORD('some_pass') where user='root';

Set a password for the anonymous user. It has an empty user name.

UPDATE user SET Password = PASSWORD('some_pass') where user='';

Alternatively, you can even delete the anonymous user. I didn’t try this, but seems like a good idea.

delete from user where user='';

Finally, flush the changes so that changes are applied without a server restart.

flush privileges;

You probably want to create a user that will be used by the applications to connect to the database. Here are the steps to add a user called “monty” with rights to access the “test” database.

use test;
GRANT ALL PRIVILEGES ON *.* TO 'monty'@'%' IDENTIFIED BY 'some_pass' WITH GRANT OPTION;

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s