Bug #71096 Can login all user from localhost.
Submitted: 5 Dec 2013 17:31 Modified: 5 Dec 2013 20:11
Reporter: 徹 赤松 Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.6.14 OS:Linux (source distribution)
Assigned to: CPU Architecture:Any
Tags: mysql.user

[5 Dec 2013 17:31] 徹 赤松 
Description:
I installed latest mysql version 5.6.14 from source in Linux.
And check mysql.user table.

# ./bin/mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.6.14 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> select user,host,password from mysql.user;
+------+-----------------+----------+
| user | host            | password |
+------+-----------------+----------+
| root | localhost       |          |
| root | std05.kic.ac.jp |          |
| root | 127.0.0.1       |          |
| root | ::1             |          |
|      | localhost       |          | *all user from localhost
|      | std05.kic.ac.jp |          | *all user from installed mysqld
+------+-----------------+----------+
6 rows in set (0.00 sec)

mysql> \q
Bye

So I check login to mysqld -u nouser, nouser is not defined in /etc/password.
But nouser login to mysqld.

# ./bin/mysql -u nouser
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.6.14 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
./bin/mysql  Ver 14.14 Distrib 5.6.14, for Linux (i686) using  EditLine wrapper

Connection id:          3
Current database:
Current user:           nouser@localhost
SSL:                    Not in use
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         5.6.14 Source distribution
Protocol version:       10
Connection:             Localhost via UNIX socket
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    utf8
Conn.  characterset:    utf8
UNIX socket:            /tmp/mysql.sock
Uptime:                 1 min 57 sec

Threads: 1  Questions: 11  Slow queries: 0  Opens: 67  Flush tables: 1  Open tables: 60  Queries per second avg: 0.094
--------------

mysql> show grants;
+--------------------------------------+
| Grants for @localhost                |
+--------------------------------------+
| GRANT USAGE ON *.* TO ''@'localhost' |
+--------------------------------------+
1 row in set (0.00 sec)

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| test               |
+--------------------+
2 rows in set (0.00 sec)

mysql> \q
Bye

If I set Websystem, apache user can see information_schema, test databases.
Is this the right setup?

How to repeat:
I think mysql.user table for default setting,
  delete ''@'localhost' and ''@'installed_mysqld'. 

Or add check routine,
  if real local user in /etc/passwod file and can use /bin/bash. 

I am glad for your reply.
[5 Dec 2013 17:43] Todd Farmer 
Thank you for taking the time to write to us, but this is not a bug. You'll want to run mysql_secure_installation:

http://dev.mysql.com/doc/refman/5.6/en/mysql-secure-installation.html
[5 Dec 2013 20:11] 徹 赤松 
I read a scripts/mysql_install_db, and found about anonymous user.
In a script, set up password for root user,
 and delete anonymous user,
 and run $bindir/mysql_secure_installation.

For more mysqld security, it is better not add anonumous user.

Thank you for your replay.