Fwd: Re: [Leaplist] Ubuntu 8.02 and MySQL 5.x

Dan Cherry dan.s.cherry at gmail.com
Mon Nov 24 21:32:47 EST 2008 

Sorry for the delay - I just noticed that I replied directly to Fred by 
mistake - meant to send it to the list...
----------  Forwarded Message  ----------

On Monday 24 November 2008 7:20:02 am Fred Moore wrote:
> Dan Cherry wrote:
> > On Sunday 23 November 2008 11:09:22 pm John Simpson wrote:
> >> On 2008-11-23, at 1436, Dan Cherry wrote:
> >>> On Sunday 23 November 2008 1:03:05 pm Jason Boxman wrote:
> >>>> You might look in:
> >>>>
> >>>> /etc/mysql/debian.cnf
> >>>>
> >>>> It'll define a password for debian-sys-maint which is probably the
> >>>> account
> >>>> it is looking for.  PostgreSQL has a similar special user
> >>>> configuration for
> >>>> updates on Debian.  The file's readable only by root.
> >>>>
> >>>> I don't know if that is the actual password or if it's encrypted,
> >>>> though.
> >>>> If it's the latter, your knowledge of what to actually set it to
> >>>> won't help
> >>>> that much.
> >>>
> >>> the password in debian.cnf is a plain text password.  The password
> >>> stored
> >>> within mysql is encrypted.  use the passwd() function in mysql to
> >>> encrypt the
> >>> plain text string from debian.cnf, and you should be good to go.
> >>
> >> which suggests to me that every ubuntu (or debian?) system out there
> >> which uses the mysql packages, has the same mysql root (or root-
> >> equivalent) password.
> >
> > apparently, the password is generated at installation time.  It's
> > different on each machine I use.  Which kinda hints that it could be
> > regenerated, but I'm just not familiar with which program does that.

clarification:  the password I'm talking about in the last paragraph is the 
mysql debian-system-maint password - not the mysql root password.

Fred's right, the root password is not set at installation, and is only 
accessible from localhost.  As a matter of good practice, that SHOULD be 
changed by the administrator the first time they run mysql.  But the mysql 
debian-sys-maint user-id/password should not be changed unless you want to 
disable updates/upgrades via apt.

> >
> >> would it make sense to tell people to change that password (or even
> >> better, the userid AND the password), especially if their mysql server
> >> is listening on a TCP socket which is open to the world?
> >
> > likely not.  In order to access the userid and password
> > from /etc/mysql/debian.cnf you would have to have root privileges.  Once
> > you can read that file, you'd have access to the new userid and password,
> > anyway.
> >
> > It WOULD make sense to close that socket to the outside world, and force
> > the use of ssh or similar.
> >
> >> --------------------------------------------------------
> >>
> >> | John M. Simpson  --  KG4ZOW  --  Programmer At Large |
> >> | http://www.jms1.net/                 <jms1 at jms1.net> |
> >>
> >> --------------------------------------------------------
> >>
> >> |   Hope for America  --  http://www.ronpaul2008.com/  |
> >>
> >> --------------------------------------------------------
>
> Perhaps I missed something.  MySQL passwords are stored in an encrypted
> db inside MySQL.  MySQL creates a root user but does not have a root
> passwd set at install time.  Nor does it have any users set.  You set
> them yourself.  (unless some distro modified it, I have not seen any do
> this before)
>
> first logon on to the MySQL terminal  with  "mysql"
> You need to so something like this to set the root passwd
>
> set password root at localhost=password('new password');
>
> This is not the machine password this is the root password security MySQL.
>
> MySQL is also set by default to only listed from localhost.
> note:  you can only logon from localhost by default even if you set a
> user @another_host.
>
> you change this by modifying /etc/mysql/my.cnf  (or some other name if
> your distro changed it)..  look for the
>
> bind-address = 127.0.0.1
>
> change it to something like
>
> bind-address = 192.168.0.*  (substitute your subnet)
> should allow users you assign logon provledges on your subnet.
> or if you want a real unsecure environment
> bind-address =*

this can also be managed by the admin from within mysql, creating users with 
specific addresses they can log in from (and specific databases they can 
use).  Each userid can be associated with a different ip address (or range of 
ip addresses).  This not only secures the database by userid, but also by the 
physical machine(s) they are logging in from.  This might be practical when 
several unrelated databases are kept on the same mysql installation.
>
> you then log onto MySql terminal with
>
> mysql -u root -p   //you will be prompted for the password.
>
> It is suggest that you then create other users and assign them
> privileges..  something like
>
> grant all on *.* to username at hostname_or_address identified by 'password';
>
> This gives the user all privileges except grant.
>
> This should get things cooking.
>
> there are quite a few very good tutorials on the net..
>
> Fred...



-- 
Dan
Finding a solution to a problem doesn't solve the problem...
Implementing the solution, solves the problem

-------------------------------------------------------

-- 
Dan
Finding a solution to a problem doesn't solve the problem...
Implementing the solution, solves the problem

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Leaplist mailing list