Bug #23636 server installs mysqld without password for root using network connect (br 1792)
Submitted: 25 Oct 2006 16:35 Modified: 26 Oct 2006 13:49
Reporter: Andy Bang Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Installing Severity:S1 (Critical)
Version: OS:
Assigned to: Keith Russell CPU Architecture:Any

[25 Oct 2006 16:35] Andy Bang 
Description:
From Monty:

- I checked the mysqld installation inside Merlin and noticed that the root used did only have a password for 'localhost' (ie socket), not for network connections. ; Ie anyone can connect to the merlin include mysqld server and get all information out from it without any password.

How to repeat:
See Description.

Suggested fix:
Ensure that ALL root accounts created have a password.  These are typically root@localhost and root@'%'.
[25 Oct 2006 16:49] Andy Bang 
For select Host, User, Password from mysql.user, we're seeing this on Windows:

+------+--------------------+-------------------------------------------+
| user | host               | password                                  |
+------+--------------------+-------------------------------------------+
| root | localhost          | *91D70B1A27857A67CDCD73F7D043E9484E34B247 |
+------+--------------------+-------------------------------------------+

But we're seeing this on Linux:

+------+--------------------+-------------------------------------------+
| user | host               | password                                  |
+------+--------------------+-------------------------------------------+
| root | localhost          | *91D70B1A27857A67CDCD73F7D043E9484E34B247 |
| root | net-sup1.mysql.com |                                           |
|      | net-sup1.mysql.com |                                           |
|      | localhost          |                                           |
+------+--------------------+-------------------------------------------+

The second root account should have a password and the anonymous accounts should be removed.
[25 Oct 2006 22:38] Keith Russell 
Reported as resolved by Bitrock in ver => 7.12
[26 Oct 2006 4:10] Bill Weber 
Punita, can you test this on the linux build. Thanks, Bill
[26 Oct 2006 13:49] Carsten Segieth 
tested OK with 0.7.12 installed on qa-srv-b (Suse 9.3):

mysql> select Host, User, Password from mysql.user;
+-----------+---------+-------------------------------------------+
| Host      | User    | Password                                  |
+-----------+---------+-------------------------------------------+
| localhost | pinodba | *07B2577DE53C22CA50128EFE1B30CA9CB62F3051 |
| qa-srv-b  | pinodba | *07B2577DE53C22CA50128EFE1B30CA9CB62F3051 |
+-----------+---------+-------------------------------------------+
2 rows in set (0.00 sec)