Our MySQL log displayed a warning on restart about 2 root users not having passwords.
I went into MySQL and checked all users:
mysql> select * from mysql.user;
and see:
Host | User | Password
localhost root *76685yt868itetc
web12-b0 root
127.0.0.1 root
First off, why are there 3 root users (and do we need 127.0.0.1 since we have localhost)?
Second, why would two of them not have passwords set?
Third, do the web12-b0 and 127.0.0.1 hosts have full root access without having to use a password (as it appears)?
Fourth, is there some valid reason for this or should I suggest the admin put passwords on those two hosts?
Thanks for your answers.
Best Answer
I know this is an old thread, but I wanted to add a few more points:
Three root users are generated by default when you first create a database. The are all created without passwords. At that time, the installation also recommends you set a password by running
mysqladmin -u root password, which will change the password for 'root'@'%'.The two that still don't have passwords are local to the host specified in the Host column; in both of these cases, it's the actual DB server. They do both have full access to the database by default. One might correctly surmise that, in many cases, if you were able to log in to the machine (which would be necessary to use either of these root accounts) in the first place, then you probably have access to the actual files on disk. So having passwords on these might not yield any real security.
That being said, I prefer to remove these default accounts, and stick with password-ed accounts.
DELETE FROM mysql.user WHERE Password=''; FLUSH PRIVILEGES