Is it normal that one can access MySQL as root without entering password, although password is set?
I just installed MySQL (Ver 14.14 Distrib 5.7.22) on Ubuntu 18.04 and I discovered something weird:
I installed MySQL and used mysql_secure_installation
to set a password for root, but as soon as I am logged in SSH with any user with sudo-rights, I can simply access MySQL without being prompted to enter a password via mysql -u root
or via mysql -u root -p
& simply clicking ENTER (when asked "Enter password:").
Is this normal?
I know from prior versions that I always had to enter a password when I wanted to access MySQL, even with sudo.
Ubuntu's MySQL packages (which are based on Debian's) use by default the auth_socket
plugin. With this plugin when connecting from the local machine no password is required, but the server identifies the operating system user and matches that user. So if you are root on the system and login you become root. This avoids having to setup a MySQL root password first.
See also https://wiki.debian.org/MySql
You should run SHOW GRANTS FOR 'root'@'localhost';
If it shows this line in the results:
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION
and not this line:
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD '*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' WITH GRANT OPTION
that means the root user is automatically authenticated by the unix socket credential. If you don't want this, you can issue a manual GRANT command (don't shoot yourself in the foot doing this) that will override the previous, eg:
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY 'mysecurepassword' WITH GRANT OPTION;
Now mysql will ask a password, but can be used by any user able to access the unix socket (so by default just using mysql -u root -p
without being root but of course knowing the password). You have to ponder which one is more secure.
I don't know why the mysql_secure_installation
doesn't explain about this.