2

With a fresh (but old) install of Ubuntu and MySQL, I found I could access the MySQL via command line client without being asked for any user or password.

Logging in as root requires the root password. But logging in without specifying the user (ie, just typing mysql on the command line) asks me for neither user nor password.

I'm logged in as stewart@localhost. No such user exists in the mysql.user table.

This user can see the information_schema database.

Why does the user exist? I thought MySQL users were separate from OS system accounts.

Stewart
  • 203
  • 3
  • 11
  • http://dev.mysql.com/doc/refman/5.0/en/information-functions.html#function_current-user – user9517 Aug 12 '14 at 08:39
  • OK, so my reading of that is that it's normal. Why have I never noticed it before? I would have expected to simply not be granted access. – Stewart Aug 12 '14 at 08:47
  • 1
    This is due to the "debian-sys-maint"-user. Your user account should be in the admin group. However, this system user should no longer exist in newer installations. Search for "mysql debian-sys-maint" for more information. It was a system account used for rolling logs and other tasks. – Broco Aug 12 '14 at 13:39
  • The `stewart` user is indeed in the `admin` group. I though `debian-sys-maint` had something to do with it, hence my previous question : http://serverfault.com/questions/619633/securing-mysql-debian-sys-maint – Stewart Aug 12 '14 at 14:05
  • 1
    @Stewart Dang, I should have figured this question was related to the other question. May I ask for Ubuntu version? I tried to log in to mySQL from Ubuntu 12.04 and 14.04 without credentials from my administrative user account, even as root it was not possible so I think they removed this "feature" which is in fact a huge security risk and I cannot think of any reason for its existence. Granting root access to MySQL without credentials COULD be ok but in fact you are right, MySQL users are and should be separate users in newer versions. – Broco Aug 12 '14 at 15:13
  • Due to CPU / memory (laptop is 10 years old now) the Ubuntu version is old: 8.04. I'm very pleased to hear (a) that my security discomfort is warranted (b) that this is a hole fixed in later releases. Do you think my suggestion to `REVOKE ALL PRIVILEGES` (in the other question) is a reasonable compromise? – Stewart Aug 12 '14 at 15:51
  • @Broco: "this system user [debian-sys-maint] should no longer exist in newer installations". Do you have some more information about this? At least in Ubuntu 14.04 and Debian Wheezy the user still exists and should not be removed. – Mikko Aug 13 '14 at 06:09
  • @Mikko Sorry for being stupid: It is no SYSTEM user. debian-sys-maint is used for rolling logs and checking for corrupt tables. – Broco Aug 13 '14 at 08:09

1 Answers1

1

MySQL treats unknown username as anonymous user, so check for any lines in user-table that have empty string in the username column. Removing these, or setting the password, will prevent logging in without password.

You can check if you are connected as anonymous user with SELECT CURRENT_USER().

Mikko
  • 955
  • 8
  • 14
  • Thanks for this, and also the reference to the duplicate question. Found another, so for posterity, they are: * http://serverfault.com/questions/368641/mysql-5-5-16-allows-anonymous-connections * http://serverfault.com/questions/452955/mysql-allows-entry-without-password – Stewart Aug 13 '14 at 09:52