Latest MySQL Performance Blog posts
MySQL 5.6 surely changes the game when it comes to Security vs Ease of use. Before MySQL 5.6 we would get default MySQL installation being pretty insecure – the user “root” will be created with no password as well as anonymous user with limited access from local host (though still enough to cause DOS attack or crash MySQL Server. There were some exception to this rule – such as Debian/Ubuntu install scripts would interactively suggest you to set password for root user if it was not set. Still most users would get MySQL install with root account and no password.
This is not the case with MySQL 5.6 when you’re doing fresh MySQL Install! Installing official RPM on CentOS6 I’m getting this:A RANDOM PASSWORD HAS BEEN SET FOR THE MySQL root USER ! You will find that password in '/root/.mysql_secret'. You must change that password on your first connect, no other statement but 'SET PASSWORD' will be accepted. See the manual for the semantics of the 'password expired' flag. Also, the account for the anonymous user has been removed. In addition, you can run: /usr/bin/mysql_secure_installation which will also give you the option of removing the test database. This is strongly recommended for production servers.
So we’re getting random password for the root account by default instead of empty one. Furthermore it is not stored in the root directory my.cnf but separate .mysql_secret file so you need to enter it explicitly to connect to the server for a first time – and it is for a good reason as this is temporary password only. You can’t really use MySQL Server until you change it:[root@centos6 ~]# mysql -u root -p8AkXyPUs Warning: Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 3 Server version: 5.6.13 Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show processlist -> ; ERROR 1820 (HY000): You must SET PASSWORD before executing this statement
As Such MySQL will refuse any statements even ones which do not cause any database contents access until you change password with SET PASSWORD command.
If you’re looking to keep password you can run:mysql> set password=password('MySecurePassword'); Query OK, 0 rows affected (0.00 sec)
You also have an option to go back to the old behavior and remove the password for account (this is what I do on MySQL running on VirtualBox on my Laptop as I keep it for testing only)mysql> set password=''; Query OK, 0 rows affected (0.00 sec)
So at least with RPM Install MySQL 5.6 is getting more secure but adding a little more effort for users to become usable after installations. Hope this change will make a world more secure but will not discourage a lot of users complicating install process.
This is a popular topic with news breaking routinely that yet another Internet company has leaked private data of one form or another. Ernie’s webinar will be a great overview of security MySQL from top to bottom, including changes related to security in the 5.6 release.
Topics to be covered include:
- Basic security concepts
- Security above the MySQL layer (network, hardware, OS, etc.)
- Tips for application design
- A more secure MySQL configuration
- Security-related changes in MySQL 5.6
Attendees will leave this presentation knowing where to start when identifying vulnerability in their systems.
Be sure to register for the webinar in advance!