Over a million developers have joined DZone.

MySQL 5.6: Security vs. Ease of Use

· Performance Zone

Download Forrester’s “Vendor Landscape, Application Performance Management” report that examines the evolving role of APM as a key driver of customer satisfaction and business success, brought to you in partnership with BMC.

MySQL 5.6 surely changes the game when it comes to security versus ease of use. Before MySQL 5.6, the default MySQL installation would be pretty insecure – the user “root” would be created with no password as well as an anonymous user with limited access to the local host (though still enough to allow DOS attacks or to crash MySQL Server).

There were some exceptions to this rule. For instance, the Debian/Ubuntu install scripts would interactively suggest that you set a password for the root user if it was not set. Still, most users would get a MySQL install with a root account and no password.

This is not the case with MySQL 5.6 when you’re doing a fresh MySQL install! Installing the official RPM on CentOS6 I’m getting this:

A RANDOM PASSWORD HAS BEEN SET FOR THE MySQL root USER !
You will find that password in '/root/.mysql_secret'.
 
You must change that password on your first connect,
no other statement but 'SET PASSWORD' will be accepted.
See the manual for the semantics of the 'password expired' flag.
 
Also, the account for the anonymous user has been removed.
 
In addition, you can run:
 
  /usr/bin/mysql_secure_installation
 
which will also give you the option of removing the test database.
This is strongly recommended for production servers.

So, we’re getting a random password for the root account by default instead of an empty one. Furthermore, it is not stored in the root directory my.cnf but in a separate .mysql_secret file, so you need to enter it explicitly to connect to the server for a first time – and this is for good reason since this is a temporary password only. You can’t really use MySQL Server until you change it:

[root@centos6 ~]# mysql -u root -p8AkXyPUs
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.6.13
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show processlist
    -> ;
ERROR 1820 (HY000): You must SET PASSWORD before executing this statement

As Such, MySQL will refuse any statements -- even ones that do not allow any database contents access until you change the password with the SET PASSWORD command.

If you’re looking to keep a password, you can run:

mysql> set password=password('MySecurePassword');
Query OK, 0 rows affected (0.00 sec)

You also have an option to go back to the old behavior and remove the password for the account (this is what I do on MySQL running on VirtualBox on my laptop since I keep it for testing only).

mysql> set password='';
Query OK, 0 rows affected (0.00 sec)

So, at least with the RPM install, MySQL 5.6 is getting more secure, but adding a little more effort after installation is worthwhile. I hope this change will make things more secure and will not discourage a lot of users by complicating the install process.


See Forrester’s Report, “Vendor Landscape, Application Performance Management” to identify the right vendor to help IT deliver better service at a lower cost, brought to you in partnership with BMC.

Topics:

Published at DZone with permission of Peter Zaitsev, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}