Discover How To Learn Tips And Tricks HOWTOs

mysql security

Anthony Pell

2 - 3 min read Aug 24, 2000

Several steps can be taken to secure the default mysql installation.

Introduction

mysql is a free DBMS for many platforms. When you install it there are various unnecessary features enabled that should be disabled to enhance security.

Root Password

When you first install mysql, be it from a source tarball or from a RPM, you must set the 'root' password. This is the password that can be used to control all of the tables, mysql startup/shutdown, etc. To do this type the command;

  mysqladmin -u root password 'new-password'

Default Users and Tables

mysql also ships with two default users and default 'test' tables. The default users are for connecting to the DBMS without specifying a password, so removing these users is obviously a very good security measure. There are also entries so that tables called or starting with 'test' can be world-writable. These should also be disabled for obvious reasons. To do so, you must first go into the DBMS:

  mysql -uroot -p mysql
  Enter password:
  Reading table information for completion of table and column names
  You can turn off this feature to get a quicker startup with -A

  Welcome to the MySQL monitor.  Commands end with ; or g.
  Your MySQL connection id is 1 to server version: 3.22.32

  Type 'help' for help.

Now we execute the two commands to delete the desired entries:

  mysql> DELETE FROM user WHERE User = '';
  mysql> DELETE FROM db WHERE Host = '%';

Disable TCP Networking

If the database only needs to be accessable from the local machine then you should disable TCP networking. By doing so you eliminate the possiblity of people connecting to your daemon without an account on the machine the daemon is running on.

To do this you must edit the file 'safe_mysqld', which is a script file that starts up the daemon for you. It may be in '/usr/bin' or '/usr/local/bin'. Once you locate the file change the following lines (approximate line numbers are included, but they may vary from version to version) by including the --skip-networking flag:

  119:     --skip-locking >> $err_log 2>&1
  119:     --skip-networking --skip-locking >> $err_log 2>&1

  122:     --skip-locking "$@" >> $err_log 2>&1
  122:     --skip-networking --skip-locking "$@" >> $err_log 2>&1

Resources

General MySQL Security
The MySQL access privilege system

Discover How To Learn Tips And Tricks HOWTOs

mysql security

Anthony Pell

Introduction

Root Password

Default Users and Tables

Disable TCP Networking

Resources

Securing an Ubuntu Linux server with SELinux

LinuxSecurity Poll

Why do you use a VPN on Linux?

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By

Discover How To Learn Tips And Tricks HOWTOs

mysql security

Anthony Pell

Introduction

Root Password

Default Users and Tables

Disable TCP Networking

Resources

Related Articles

Get the Latest News & Insights

Securing an Ubuntu Linux server with SELinux

LinuxSecurity Poll

Why do you use a VPN on Linux?

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By