[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Neil Williams wrote: >On Sunday 28 August 2005 10:21 am, John Palmer wrote: > > >>I'm sure Neil Williams has thought this out carefully, but on his scheme >>(i.e. mysqladmin password blank) what exactly stops some awkward person >>from running >> mysqladmin drop <some-vital-database> ? >> >> > >? There's confusion here. I'm talking about the packaging user created in the >user table in MySQL itself that provides access for the installation helper. > > Yes, I think that is where the confusion arises. The original question was about changing the root password in mysql. This has got nothing to do with the packaging user (debian-sys-maint) refered to by Neil. debian-sys-maint does have a password which is auto generated by the installer and is stored in /etc/mysql/debian.cnf. If you change this without updating the config file it will probably break lots of other installs that try and use it. The root user is standard mysql though and must be made secure if you expect anyone other than yourself to use the host computer. The links Neil provided give a good overview of mysql security and how to change the root password. http://dev.mysql.com/doc/mysql/en/default-privileges.html As far as I know mysqladmin uses the same access methods as other mysql clients and allows you to specify both user and password so to be pedantic the command would be mysqladmin --user=root drop productiondatabase Setting a root password would prevent this. Cheers, Pete >This can be secured by revoking some privileges for that user, preventing >access to specific databases (or tables). That leaves the installation/update >route open for new databases supporting newly installed packages. If, as I >said before, you aren't going to be updating / installing such packages, >secure this fully. > >This page covers such a secure setup: >http://dev.mysql.com/doc/mysql/en/security-guidelines.html > >mysqladmin is different - that IS a representation of the root user on the >real system (or it should be) when run as root user. Otherwise it uses the >current user. Secure it for the current user with a password but the root >user should be secure anyway. > >Setting a mysqladmin password is fine, just don't delete the packaging user >from the mysql.user table. > >Getting access with -uroot still requires access to the local machine (unless >you've been silly and enabled that user outside localhost). > >http://dev.mysql.com/doc/mysql/en/default-privileges.html > >Check your own installation mysql.user table. Ordinary users should not be >able to access any of the mysql database tables. > > > -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html