With a fresh (but old) install of Ubuntu and MySQL, I found I could access the MySQL via command line client without being asked for any user or password.
This bothered me as the default situation, and I tried to investigate it. Logging in as root required the root password. But logging in without specifying the user (ie, just typing mysql on the command line) asked me for neither user nor password.
I think I've tracked it down to the user debian-sys-maint, which appears to have full MySQL permissions on the one hand, and is also the default client user as defined in /etc/mysql/debian.cnf on the other.
My first instinct was to get rid of the user entirely, because this seemed a security hole to me, but upon reading up, including the posts linked below, it seems that debian-sys-maint is needed.
So my plan is to try the following:
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'debian-sys-maint';
GRANT RELOAD on *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY 'xxxxxx';
FLUSH PRIVILEGES;
Can anyone comment on this as the recommended / expected / correct way to secure a default MySQL installation?
Should I also alter /etc/mysql/debian.cnf to remove this section?
[client]
host = localhost
user = debian-sys-maint
password = xxxxxx
socket = /var/run/mysqld/mysqld.sock
(It does warn: # Automatically generated for Debian scripts. DO NOT TOUCH!)
I intend to replace it with my own ~/.my.cnf client section anyway.
Update:
The permissions on /etc/mysql/debian.cnf are:
-rw------- 1 root root 312 2012-05-20 23:07 /etc/mysql/debian.cnf
References:
Best Answer
The answer to this is that the
debian-sys-maintaccount is a red-herring.The phenomena I was looking at was a MySQL "anonymous" user.
This is answered by these 2 questions, as well as my own that I posted yesterday: