mysql security

    Date23 Aug 2000
    Posted ByAnthony Pell
    Several steps can be taken to secure the default mysql installation.


    mysql is a free DBMS for many platforms. When you install it there are various unnecessary features enabled that should be disabled to enhance security.

    Root Password

    When you first install mysql, be it from a source tarball or from a RPM, you must set the 'root' password. This is the password that can be used to control all of the tables, mysql startup/shutdown, etc. To do this type the command;

      mysqladmin -u root password 'new-password'

    Default Users and Tables

    mysql also ships with two default users and default 'test' tables. The default users are for connecting to the DBMS without specifying a password, so removing these users is obviously a very good security measure. There are also entries so that tables called or starting with 'test' can be world-writable. These should also be disabled for obvious reasons. To do so, you must first go into the DBMS:

      mysql -uroot -p mysql
      Enter password:
      Reading table information for completion of table and column names
      You can turn off this feature to get a quicker startup with -A
      Welcome to the MySQL monitor.  Commands end with ; or g.
      Your MySQL connection id is 1 to server version: 3.22.32
      Type 'help' for help.

    Now we execute the two commands to delete the desired entries:

      mysql> DELETE FROM user WHERE User = '';
      mysql> DELETE FROM db WHERE Host = '%';

    Disable TCP Networking

    If the database only needs to be accessable from the local machine then you should disable TCP networking. By doing so you eliminate the possiblity of people connecting to your daemon without an account on the machine the daemon is running on.

    To do this you must edit the file 'safe_mysqld', which is a script file that starts up the daemon for you. It may be in '/usr/bin' or '/usr/local/bin'. Once you locate the file change the following lines (approximate line numbers are included, but they may vary from version to version) by including the --skip-networking flag:

      119:     --skip-locking >> $err_log 2>&1
      119:     --skip-networking --skip-locking >> $err_log 2>&1
      122:     --skip-locking "$@" >> $err_log 2>&1
      122:     --skip-networking --skip-locking "$@" >> $err_log 2>&1


    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"82","type":"x","order":"1","pct":56.16,"resources":[]},{"id":"88","title":"Should be more technical","votes":"22","type":"x","order":"2","pct":15.07,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"42","type":"x","order":"3","pct":28.77,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.