Description:
One of the functions of mysql_secure_installation
is to allow you to set the root password. But under
certain circumstances, it leaves a root account
with no password.

The set_root_password function in the script
executes this query:

    do_query "SET PASSWORD FOR root=PASSWORD('$password1');"

However, this sets the root@localhost account only.
There is also a root@real.host.name account present
in the initial grant tables.

*If* you also elect to have mysql_secure_installation
disable remote root access, it will remove the
root@real.host.name account, then there is no
problem. But if you do not disable remote root
access, that account remains in the grant tables,
and will have no password.

How to repeat:
Run mysql_secure_installation.

Set the root password.

Don't disable remote root.

Then look at the user table.
It'll have a root account with no password.

Suggested fix:
Don't use:

    do_query "SET PASSWORD FOR root=PASSWORD('$password1');"

Use:

    do_query "UPDATE mysql.user SET Password=PASSWORD('$password1') WHERE User='root';"
 
That should set the password for all root accounts, not just root@localhost.

bk commit - 4.0 tree (1.1582)
ChangeSet
  1.1582 03/10/24 15:20:46 vva@eagle.mysql.r18.ru +1 -0

Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html