Linux – Multiple root user accounts for thesql on Ubuntu

linuxMySQLUbuntu

I'm using ubuntu 12.04 and trying to get things secured. I'm still pretty new to Linux so I'm not quite sure how to interpret this.

I logged into my root account using mysql -u root -p and then to see all of the users I typed SELECT User FROM mysql.user; which showed the following

+------------------+
| User             |
+------------------+
| root             |
| root             |
|                  |
| root             |
|                  |
| Testing          |
| debian-sys-maint |
| phpmyadmin       |
| root             |
+------------------+

I logged into phpmyadmin to check out what each of the root accounts for and noticed they all have different hosts. Localhost, 127.0.0.1, ::1 and another IP address. Is it necessary to keep all of these? I currently SSH into my server (using a key pair) and then access MySQL through the terminal or through PHPMyadmin directly from my URL, so I'm pretty sure I just access it through the localhost root account and none of the others.

If I change my root password will all of the other MySQL root accounts change (from the different hosts)? What would you guys do in this situation to make it more secure?

Here's what I was thinking of doing, but maybe there's a better way. I was going to change the MySQL root user's password to something long and random (and write it down), and create another account with a shorter password for everyday management.

For the record, I have already restricted IP access to PHPMyAdmin and made an alias, I just want to do everything I can to prevent some jerk from trying to get a hold of it.

Best Answer

Although they are all named 'root', MySQL sees each of those user entries as a unique account. The account is based on the 'user'@'host' combination. Each of them can have a separate password, although that could easily be an account management nightmare.

You have a number of ways to change the passwords for the accounts, and depending on how you do it, you may have to repeat it for each account to keep them in sync.

The first way (probably the one most people are familiar with) is using SET PASSWORD

shell> mysql -u root -p
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpwd');
mysql> SET PASSWORD FOR 'root'@'127.0.0.1' = PASSWORD('newpwd');
mysql> SET PASSWORD FOR 'root'@'::1' = PASSWORD('newpwd');
mysql> SET PASSWORD FOR 'root'@'host_name' = PASSWORD('newpwd');

If you wanted to update them all at once you can use UPDATE

shell> mysql -u root -p
mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd')
    ->     WHERE User = 'root';
mysql> FLUSH PRIVILEGES;

The third way if to use the mysqladmin tool

shell> mysqladmin -u root password "newpwd"
shell> mysqladmin -u root -h host_name password "newpwd"

If using this method, you need to make note:

The mysqladmin method of setting the root account passwords does not work for the 'root'@'127.0.0.1' or 'root'@'::1' account. Use the SET PASSWORD method shown earlier.

More info on the MySQL site

I agree with your idea of using a separate account for your day to day tasks, you will just need to find the right combination of permissions that will work with what you want, without getting too heavy handed.

I would also take a look at your server logs periodically (or have a tool in place) to monitor database logins, such as those for root.

There's a lot more that you can do to secure your installation, but that can easily grow beyond the scope of this.

Related Solutions

Debian MySQL User – What is the debian-sys-maint MySQL User?

What is debian-sys-maint used for?

One major thing it is used for is telling the server to roll the logs. It needs at least the reload and shutdown privilege.

See the file /etc/logrotate.d/mysql-server

It is used by the /etc/init.d/mysql script to get the status of the server. It is used to gracefully shutdown/reload the server.

Here is the quote from the README.Debian

* MYSQL WON'T START OR STOP?:
=============================
You may never ever delete the special mysql user "debian-sys-maint". This user
together with the credentials in /etc/mysql/debian.cnf are used by the init
scripts to stop the server as they would require knowledge of the mysql root
users password else.

What is the easiest way to restore it after I've lost it?

The best plan is to simply not lose it. If you really lose the password, reset it, using another account. If you have lost all admin privileges on the mysql server follow the guides to reset the root password, then repair the debian-sys-maint.

You could use a command like this to build a SQL file that you can use later to recreate the account.

mysqldump --complete-insert --extended-insert=0 -u root -p mysql | grep 'debian-sys-maint' > debian_user.sql

Is the password in /etc/mysql/debian.cnf already hashed

The password is not hashed/encrypted when installed, but new versions of mysql now have a way to encrypt the credentials (see: https://serverfault.com/a/750363).

Ubuntu – Change user password within user with root account

Pretty simple, assuming you know the password for root:

su root
passwd {username}

Replace "{username}" with the username you wish to change the password for. You will be prompted for your root password, and you shouldn't be prompted for the old user password for the user you are making modifications for!

Best Answer

Related Solutions

Debian MySQL User – What is the debian-sys-maint MySQL User?

Ubuntu – Change user password within user with root account

Related Topic