7

I just installed MySQL (Ver 14.14 Distrib 5.7.22) on Ubuntu 18.04 and I discovered something weird:

I installed MySQL and used mysql_secure_installation to set a password for root, but as soon as I am logged in SSH with any user with sudo-rights, I can simply access MySQL without being prompted to enter a password via mysql -u root or via mysql -u root -p & simply clicking ENTER (when asked "Enter password:").

Is this normal?

I know from prior versions that I always had to enter a password when I wanted to access MySQL, even with sudo.

xinxin
  • 73
  • 1
  • 4

3 Answers3

14

Ubuntu's MySQL packages (which are based on Debian's) use by default the auth_socket plugin. With this plugin when connecting from the local machine no password is required, but the server identifies the operating system user and matches that user. So if you are root on the system and login you become root. This avoids having to setup a MySQL root password first.

See also https://wiki.debian.org/MySql

johannes
  • 583
  • 2
  • 10
  • Yep and create a MySQL user with same username as your unix username IDENTIFIED VIA auth_socket and you can login with no password too! – malhal Jan 03 '20 at 13:55
5

You should run SHOW GRANTS FOR 'root'@'localhost';

If it shows this line in the results:

GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION

and not this line:

GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD '*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' WITH GRANT OPTION

that means the root user is automatically authenticated by the unix socket credential. If you don't want this, you can issue a manual GRANT command (don't shoot yourself in the foot doing this) that will override the previous, eg:

GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY 'mysecurepassword' WITH GRANT OPTION;

Now mysql will ask a password, but can be used by any user able to access the unix socket (so by default just using mysql -u root -p without being root but of course knowing the password). You have to ponder which one is more secure.

I don't know why the mysql_secure_installation doesn't explain about this.

A.B
  • 9,037
  • 2
  • 19
  • 37
-1

On Ubuntu 18.04 with MySql 5.7 this doesn't work at all. Do the following:

use mysql

select plugin from user where user='root';

You will notice that the plugin is 'auth_socket', which is the responsible for the behavior we do not like.

To change this you have to change the plugin and set the password within the same command. This can be be done this way:

ALTER USER 'root'@'localhost' IDENTIFIED WITH MYSQL_NATIVE_PASSWORD BY 'mypass';

Just done and it works!

Community
  • 1
Vinix Wiread
  • 1