Description:
Section 2.4.16.3 describes a process for setup that leaves a security hole. It
instructs the person installing the database to execute the following
two commands:
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpwd');
mysql> SET PASSWORD FOR 'root'@'host_name' = PASSWORD('newpwd');
I think this leaves an account root@127.0.0.1 unprotected.
mysql> select host,user,password from user;
+----------------+-----------------+-------------------------------------------+
| host | user | password |
+----------------+-----------------+-------------------------------------------+
| localhost | root | *59E8BDD7D7C01F8BA2CD25A6C4DA8380BAAC6196 |
| ajacobs-ubuntu | root | *59E8BDD7D7C01F8BA2CD25A6C4DA8380BAAC6196 |
| 127.0.0.1 | root | |
| localhost | debian-sys-maint| *1A1C7F99FC38AACD1C2D4E6F7AFD446C0A3CA924 |
+----------------+-----------------+-------------------------------------------+
The documentation should say that Unix database installations should run
mysql> SET PASSWORD FOR 'root'@'127.0.0.1' = PASSWORD('newpwd');
as well.
Anonymous accounts are broken on Linux. When that feature is patched or
fixed in a new release, the documentation for anonymous accounts will probably
have to get changed as well.
How to repeat:
Read the manual page
MySQL 5.0 Reference Manual :: 2 Installing and Upgrading MySQL :: 2.4 Installing MySQL Community Server :: 2.4.16 Post-Installation Setup and Testing :: 2.4.16.3 Securing the Initial MySQL Accounts
Install a server and follow directions. Start up mysql from the command line
using
% mysql -u root -p
Then exec the commands
mysql> use mysql
mysql> select host,user,password from user;
Suggested fix:
The documentation Section 2.4.16.3 should say that Unix server installations
should run
mysql> SET PASSWORD FOR 'root'@'127.0.0.1' = PASSWORD('newpwd');
as well.
It is likely that the section that talks about anonymous accounts should
recommend
mysql> SET PASSWORD FOR ''@'127.0.0.1' = PASSWORD('newpwd');
Description: Section 2.4.16.3 describes a process for setup that leaves a security hole. It instructs the person installing the database to execute the following two commands: mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpwd'); mysql> SET PASSWORD FOR 'root'@'host_name' = PASSWORD('newpwd'); I think this leaves an account root@127.0.0.1 unprotected. mysql> select host,user,password from user; +----------------+-----------------+-------------------------------------------+ | host | user | password | +----------------+-----------------+-------------------------------------------+ | localhost | root | *59E8BDD7D7C01F8BA2CD25A6C4DA8380BAAC6196 | | ajacobs-ubuntu | root | *59E8BDD7D7C01F8BA2CD25A6C4DA8380BAAC6196 | | 127.0.0.1 | root | | | localhost | debian-sys-maint| *1A1C7F99FC38AACD1C2D4E6F7AFD446C0A3CA924 | +----------------+-----------------+-------------------------------------------+ The documentation should say that Unix database installations should run mysql> SET PASSWORD FOR 'root'@'127.0.0.1' = PASSWORD('newpwd'); as well. Anonymous accounts are broken on Linux. When that feature is patched or fixed in a new release, the documentation for anonymous accounts will probably have to get changed as well. How to repeat: Read the manual page MySQL 5.0 Reference Manual :: 2 Installing and Upgrading MySQL :: 2.4 Installing MySQL Community Server :: 2.4.16 Post-Installation Setup and Testing :: 2.4.16.3 Securing the Initial MySQL Accounts Install a server and follow directions. Start up mysql from the command line using % mysql -u root -p Then exec the commands mysql> use mysql mysql> select host,user,password from user; Suggested fix: The documentation Section 2.4.16.3 should say that Unix server installations should run mysql> SET PASSWORD FOR 'root'@'127.0.0.1' = PASSWORD('newpwd'); as well. It is likely that the section that talks about anonymous accounts should recommend mysql> SET PASSWORD FOR ''@'127.0.0.1' = PASSWORD('newpwd');