Mysql account security question

[henk]

Is there a valid reason why the hosts 127.0.0.1 and the ::1 for user root have no password assigned?

The host: localhost and user: root use the password from /etc/EFA-Config : MYSQLROOTPWD:******************************************

MariaDB [mysql]> select Host,User,Password from user;
+-----------+-----------+-------------------------------------------+
| Host | User | Password |
+-----------+-----------+-------------------------------------------+
| localhost | root | ************************************** |
| localhost | sa_user | ************************************** |
| 127.0.0.1 | root | |
| ::1 | root | |
| localhost | mailwatch | **************************************|
| localhost | sqlgrey | **************************************|
| localhost | efa | **************************************|
+-----------+-----------+-------------------------------------------+

Can I assign passwords for these accounts or simply remove user root for 127.0.0.1 and ::1?

Code: Select all

DELETE FROM mysql.user WHERE user='root' and password='';
FLUSH PRIVILEGES;

To disable ipv6 and only listen on localhost I already changed bind-address = 127.0.0.1 in /etc/my.cnf.d/server.cnf.

Code: Select all

Netstat -tapn 
tcp        0      0 127.0.0.1:3306              0.0.0.0:*                   LISTEN      13608/mysqld

No problems seen since then, so I think/hope the host ::1 with user root can be disabled without problems anyway, but I want to be sure no to mess up things.

[shawniverson]

You can remove them, unused.

For obvious reasons, I am flagging this for a fix.

[shawniverson]

https://github.com/E-F-A/v3/issues/376

[pdwalker]

Good catch Henk.

[henk]

Did change it yesterday, and checked today. No errors seen. ( i did make a snapshot before that )

There is a default Mysql script that will take care of all the changes:

Code: Select all

/usr/bin/mysql_secure_installation

See https://www.tecmint.com/install-mariadb-in-centos-6/ Step 3


Nice feature: To be able to login to mysql without typing the password everytime:

create ~/.my.cnf

Code: Select all

[client]
user=root
password=>>>>>>>>>etc/EFA-Config : MYSQLROOTPWD   HERE<<<<<<<

Set read-write privileges only for the user (ie chmod 600)

Check settings

Code: Select all

mysql --print-defaults
mysql would have been started with the following arguments:
--user=root --password=>>>>>>>>>etc/EFA-Config : MYSQLROOTPWD   HERE<<<<<<<

Now you can login without password

Code: Select all

mysql -uroot
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 746
Server version: 10.1.23-MariaDB MariaDB Server
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| efa                |
| information_schema |
| mailscanner        |
| mysql              |
| performance_schema |
| sa_bayes           |
| sqlgrey            |
+--------------------+
7 rows in set (0.00 sec)