Description:
mysql_secure_installation has the capability of removing non-local root accounts.

http://dev.mysql.com/doc/refman/5.1/en/mysql-secure-installation.html says:

"You can remove root accounts that are accessible from outside the local host."

However, the code that removes non-local accounts looks like this:

remove_remote_root() {
   do_query "DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';"
   if [ $? -eq 0 ]; then
   echo " ... Success!"
   else
   echo " ... Failed!"
   fi
}

That code works in 4.1, but not in 5.0 or higher, because the default set of accounts includes root@127.0.0.1. That account is local, but the DELETE statement will remove it.

In 5.5.3 and up, the default set of accounts also includes root@::1, and the DELETE statement will remove that as well.

The test needs to be updated so that the DELETE does not remove the non-"localhost" local accounts.

How to repeat:
By inspection.

Verified just as described on current 5.1.48 from bzr by code review.

Note that by removing root@127.0.0.1, mysql_secure_installation removes a necessary account. Although connections to 127.0.0.1 normally resolve to the root@localhost account, that does not happen if the server is run with --skip-name-resolve. In that case, the root@127.0.0.1 account is necessary. (See discussion in Bug#32542.)

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/110174

3399 Jim Winstead	2010-06-03
      The removal of non-local root users is overzealous in
      mysql_secure_installation. (Bug #54004)

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/113541

3479 Georgi Kodinov	2010-07-14
      Bug #54004 : mysql_secure_installation identifies "local host" incorrectly
      
      The removal of non-local root users is overzealous in
      mysql_secure_installation. (Bug #54004)

Pushed into mysql-trunk 5.5.6-m3 (revid:alik@sun.com-20100723121820-jryu2fuw3pc53q9w) (version source revid:vasil.dimov@oracle.com-20100531152341-x2d4hma644icamh1) (merge vers: 5.5.5-m3) (pib:18)

Pushed into mysql-next-mr (revid:alik@sun.com-20100723121929-90e9zemk3jkr2ocy) (version source revid:vasil.dimov@oracle.com-20100531152341-x2d4hma644icamh1) (pib:18)

Noted in 5.1.50, 5.5.6 changelogs.

mysql_secure_installation did not properly identify local accounts
and could incorrectly remove nonlocal root accounts.

Pushed into mysql-5.1 5.1.51 (revid:build@mysql.com-20100819151858-muaaor6jojb5ouzj) (version source revid:build@mysql.com-20100819151858-muaaor6jojb5ouzj) (merge vers: 5.1.51) (pib:20)

Pushed into mysql-5.1-telco-7.0 5.1.51-ndb-7.0.20 (revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (version source revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (merge vers: 5.1.51-ndb-7.0.20) (pib:21)

Pushed into mysql-5.1-telco-6.3 5.1.51-ndb-6.3.39 (revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (version source revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (merge vers: 5.1.51-ndb-6.3.39) (pib:21)

Pushed into mysql-5.1-telco-6.2 5.1.51-ndb-6.2.19 (revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (version source revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (merge vers: 5.1.51-ndb-6.2.19) (pib:21)