Where the open source database community meets: Use code PERCONA75 and secure your spot for Percona Live. Register

Downloads

Blog

Reset MySQL root password without restarting MySQL (no downtime!)

December 10, 2014

Author

Daniel Guzmán Burgos

Insight for DBAs

MySQL

Share this Post:

Disclaimer: Reset the MySQL root password at your own risk! It doesn’t apply if you’re using Pluggable authentication and certainly won’t be usable if/when MySQL system tables are stored on InnoDB

What is the situation?

The situation is the classic “need to reset MySQL root password” but you cannot restart MySQL (because it is the master production server, or any other reason), which makes the –skip-grant-tables solution as a no-no possibility.

What can I do?

There is a workaround, which is the following:

Launch another instance of mysqld, a small one (without innodb).

Copy your user.[frm|MYD|MYI] files from the original datadir to the datadir of the new instance.

Modify them and then copy them back to the original location.

That simple? No, but close. Here is the step by step:

Step by step recovery

Create a new datadir and run mysql_install_db for the new datadir. This one will be removed at the end. Don’t forget to change ownership to mysql user and group:

[root@machina dbdata]# mkdir datadir
[root@machina dbdata]# chown -R mysql:mysql datadir/
[root@machina dbdata]# mysql_install_db --datadir=/dbdata/datadir/ --user=mysql
Installing MySQL system tables...OK
Filling help tables...OK

[root@machina dbdata]# mkdir datadir

[root@machina dbdata]# chown -R mysql:mysql datadir/

[root@machina dbdata]# mysql_install_db --datadir=/dbdata/datadir/ --user=mysql

Installing MySQL system tables...OK

Filling help tables...OK

Launch the new instance. Be careful with the datadir path, the socket file and the port number. Also, disable InnoDB, you won’t need it, just add –skip-innodb AND –default-storage-engine=myisam:

[root@machina datadir]# /usr/sbin/mysqld --basedir=/usr --datadir=/dbdata/datadir --plugin-dir=/usr/lib/mysql/plugin --skip-innodb --default-storage-engine=myisam --socket=/var/run/mysqld/mysql2.sock --port=3307 --user=mysql --log-error=/dblogs/log/error2.log --pid-file=/dbdata/data/mysql.pid &

1	[root@machina datadir]# /usr/sbin/mysqld --basedir=/usr --datadir=/dbdata/datadir --plugin-dir=/usr/lib/mysql/plugin --skip-innodb --default-storage-engine=myisam --socket=/var/run/mysqld/mysql2.sock --port=3307 --user=mysql --log-error=/dblogs/log/error2.log --pid-file=/dbdata/data/mysql.pid &

Copy the user.* files from the original mysql instance (the ones that you need to modify) to the new instance’s datadir and login to this instance of mysql:

[root@machina ~]# cp /dbdata/data/mysql/user.* /dbdata/datadir/mysql/cp: overwrite `/dbdata/datadir/mysql/user.frm'? y
cp: overwrite `/dbdata/datadir/mysql/user.MYD'? y
cp: overwrite `/dbdata/datadir/mysql/user.MYI'? y

[root@machina datadir]# mysql --socket=/var/run/mysqld/mysql2.sock -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or g.

[root@machina ~]# cp /dbdata/data/mysql/user.* /dbdata/datadir/mysql/cp: overwrite `/dbdata/datadir/mysql/user.frm'? y

cp: overwrite `/dbdata/datadir/mysql/user.MYD'? y

cp: overwrite `/dbdata/datadir/mysql/user.MYI'? y

[root@machina datadir]# mysql --socket=/var/run/mysqld/mysql2.sock -p

Enter password:

Welcome to the MySQL monitor. Commands end with ; or g.

Execute a “flush tables” command, so the user table will be “reopened” and you can see the data and verify:

mysql2> flush tables;
mysql2> select user, host, password from user where user like 'root';
+------+--------------------------------------+------------------------------------------+
| user | host                                 | password                                 |
+------+--------------------------------------+------------------------------------------+
| root | localhost                            | 696D727429CC43695423FA5F2F0155D92A0AAC08 |
| root | 127.0.0.1                            | 696D727429CC43695423FA5F2F0155D92A0AAC08 |
| root | %                                    | 696D727429CC43695423FA5F2F0155D92A0AAC08 |
+------+--------------------------------------+------------------------------------------+
3 rows in set (0.00 sec)

mysql2> flush tables;

mysql2> select user, host, password from user where user like 'root';

+------+--------------------------------------+------------------------------------------+

| user | host | password |

+------+--------------------------------------+------------------------------------------+

| root | localhost | 696D727429CC43695423FA5F2F0155D92A0AAC08 |

| root | 127.0.0.1 | 696D727429CC43695423FA5F2F0155D92A0AAC08 |

| root | % | 696D727429CC43695423FA5F2F0155D92A0AAC08 |

+------+--------------------------------------+------------------------------------------+

3 rows in set (0.00 sec)

Now, reset the MySQL root password field with the desired value:

mysql2> update mysql.user set password='*696D727429CC43695423FA5F2F0155D92A0AAC08' where user like 'root';
Query OK, 3 rows affected (0.00 sec)
Rows matched: 3  Changed: 3  Warnings: 0

mysql2> update mysql.user set password='*696D727429CC43695423FA5F2F0155D92A0AAC08' where user like 'root';

Query OK, 3 rows affected (0.00 sec)

Rows matched: 3 Changed: 3 Warnings: 0

Verify again:

mysql2> select user, host, password from user where user like 'root';
+------+--------------------------------------+-------------------------------------------+
| user | host                                 | password                                  |
+------+--------------------------------------+-------------------------------------------+
| root | localhost                            | *696D727429CC43695423FA5F2F0155D92A0AAC08 |
| root | 127.0.0.1                            | *696D727429CC43695423FA5F2F0155D92A0AAC08 |
| root | %                                    | *696D727429CC43695423FA5F2F0155D92A0AAC08 |
+------+--------------------------------------+-------------------------------------------+
3 rows in set (0.00 sec)

mysql2> select user, host, password from user where user like 'root';

+------+--------------------------------------+-------------------------------------------+

| user | host | password |

+------+--------------------------------------+-------------------------------------------+

| root | localhost | *696D727429CC43695423FA5F2F0155D92A0AAC08 |

| root | 127.0.0.1 | *696D727429CC43695423FA5F2F0155D92A0AAC08 |

| root | % | *696D727429CC43695423FA5F2F0155D92A0AAC08 |

+------+--------------------------------------+-------------------------------------------+

3 rows in set (0.00 sec)

Flush privileges and verify that the new password is correct, by logging in again:

mysql2> flush privileges; Query OK, 0 rows affected (0.00 sec)

1
2

mysql2> flush privileges;
Query OK, 0 rows affected (0.00 sec)

Now that we have made the changes, we can move back the user.* files to the original location, being extremely careful with owner and privileges:

[root@machina ~]# cd /dbdata/datadir/mysql/
[root@machina mysql]# cp user.* /dbdata/data/mysql/; chown mysql:mysql /dbdata/data/mysql/user.*; chmod 660 /dbdata/data/mysql/user.*
cp: overwrite `/dbdata/data/mysql/user.frm'? y
cp: overwrite `/dbdata/data/mysql/user.MYD'? y
cp: overwrite `/dbdata/data/mysql/user.MYI'? y

[root@machina ~]# cd /dbdata/datadir/mysql/

[root@machina mysql]# cp user.* /dbdata/data/mysql/; chown mysql:mysql /dbdata/data/mysql/user.*; chmod 660 /dbdata/data/mysql/user.*

cp: overwrite `/dbdata/data/mysql/user.frm'? y

cp: overwrite `/dbdata/data/mysql/user.MYD'? y

cp: overwrite `/dbdata/data/mysql/user.MYI'? y

At this moment, you can shutdown the new mysql instance since is no longer needed. Be very very careful so you don’t end up shutting down your original mysqld!:

[root@machina datadir]# mysqladmin --socket=/var/run/mysqld/mysql2.sock -p shutdown
Enter password:
141120 06:59:14 mysqld_safe mysqld from pid file /dbdata/data/mysql.pid ended

[root@machina datadir]# mysqladmin --socket=/var/run/mysqld/mysql2.sock -p shutdown

Enter password:

141120 06:59:14 mysqld_safe mysqld from pid file /dbdata/data/mysql.pid ended

Now, the last step is to execute a “FLUSH PRIVILEGES” in the original mysqld. Since we cannot yet access it, we need to send a SIGHUP signal to mysqld. MySQL responds to this signal by reloading the grant tables and flushing tables, logs, the thread cache, and the host cache, so choose wisely the moment of the day when you want to send the SIGHUP since the performance might be degraded (look at “flush tables” ).The way to send SIGHUP is to execute “kill” command with the -1 flag:

[root@machina datadir]# kill -1 $(/sbin/pidof mysqld)

1

[root@machina datadir]# kill -1 $(/sbin/pidof mysqld)

Finally, login into MySQL as root!:

[root@machina datadir]# mysql -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 101208

mysql1> select user, host, password from mysql.user where user like 'root';
+------+--------------------------------------+-------------------------------------------+
| user | host                                 | password                                  |
+------+--------------------------------------+-------------------------------------------+
| root | localhost                            | *696D727429CC43695423FA5F2F0155D92A0AAC08 |
| root | 127.0.0.1                            | *696D727429CC43695423FA5F2F0155D92A0AAC08 |
| root | %                                    | *696D727429CC43695423FA5F2F0155D92A0AAC08 |
+------+--------------------------------------+-------------------------------------------+
3 rows in set (0.00 sec)

[root@machina datadir]# mysql -p

Enter password:

Welcome to the MySQL monitor. Commands end with ; or g.

Your MySQL connection id is 101208

mysql1> select user, host, password from mysql.user where user like 'root';

+------+--------------------------------------+-------------------------------------------+

| user | host | password |

+------+--------------------------------------+-------------------------------------------+

| root | localhost | *696D727429CC43695423FA5F2F0155D92A0AAC08 |

| root | 127.0.0.1 | *696D727429CC43695423FA5F2F0155D92A0AAC08 |

| root | % | *696D727429CC43695423FA5F2F0155D92A0AAC08 |

+------+--------------------------------------+-------------------------------------------+

3 rows in set (0.00 sec)

You can see your schemas? of course you can! your databases are okay!

mysql1> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| percona            |
| testing            |
+--------------------+
4 rows in set (0.03 sec)

mysql1> show databases;

+--------------------+

| Database |

+--------------------+

| information_schema |

| mysql |

| percona |

| testing |

+--------------------+

4 rows in set (0.03 sec)

We’ve successfully reset the MySQL root password without the need to restart MySQL and thus avoid downtime.

I hope you never face this situation, but in case you do, there’s a workaround to recover your access! Is there another way to perform this?

Share it with the world!

0 0 votes

Article Rating

8 Comments

Oldest

Newest Most Voted

Inline Feedbacks

View all comments

rucypli

11 years ago

nice

Harjit Lakhan

11 years ago

Nice work, one extra step – before copying back in step 8 – BACKUP the orignal files , JUST IN CASE!!!

Fadi El-Eter (itoctopus)

11 years ago

Hi Daniel,

That is super helpful and it does save lives especially for mission critical applications.

Quick question: If someone is logged in with the old root password, and the above is done, will he be logged out or will he still be logged in?

Chintoo

11 years ago

I am working as MySQL DBA Since 2007 , This article explore the security of MysqL

Although this is Nice article , I did this step before, but that was much easier than this.

1- Go to /var/lib/mysq/mysql
2- vim user.MYD
3- check the password in the file
4- In Every production server there will be backup user with reload privileges
5- enter the MySQL with backup user
6- below command will show the backup user encrypted password
select user,password from mysql.user where user=’backup’;
7- now on OS command prompt replace with below command

sed -i ‘s/611c244e5a929da3/1d86bc847e3f5728/g’ user.MYD

8- enter the mysql prompt with backup user and execute below command

FLUSH TABLE;
FLUSH PRIVILEGES;
now exit

9- enter with root new password of backup user password without restarting MySQL

minimum backup user privileges needed.for production database

GRANT SELECT, RELOAD, EXECUTE, SHOW VIEW, EVENT ON *.* TO ‘backup’@’localhost’

Brijesh Patel

11 years ago

I really doubt you can modify user.MYD as Chintoo suggested, but you can try using one of the Hex Editor to modify the file and update or empty out the password from the file.

rajesh

10 years ago

Hi Daniel,

very good article..I got some doubts ..If we have copy user* from recover instance to original instance only root user will be copied..What about if we have other users like backup user,other users?????

And also i have faced table corruption when i copy from 3307 to 3306.

Dim

9 years ago

super post. thanks a lot!

Sander

9 years ago

How does one replicate these changes into the other servers of the cluster? Whenever I restart my cluster, the changes I’ve just added are overwritten by a state transfer.