Red Hat Bugzilla – Bug 17958
mysql is not properly secured when installed.
Last modified: 2007-04-18 12:28:48 EDT
When mysql is installed there is no question or warning about setting a
for the mysql user root. This means that any user on the host that mysqld
on has all privileges and can do anything with all databases until a
password is set.
If you install it, you need to configure it. Default passwords considered
The rpm version distributed by the mysql group warns the installer
to set a password at least. The current RH mysql install is silent,
this is likely to cause some interesting problems for the unwary.
I strongly agree that default passwords are bad.
Returning output (or asking for input) from one of the post/pre scripts is
considered bad - you wouldn't necesarrily see it. RPM is designed to be
What then about adding something like this to /etc/rc.d/init.d/mysql, just
after starting mysqld:
mysqladmin --user root processlist > /dev/null 2> /dev/null && echo "Unsafe
This will unfortunately also trigger if the password is set in /root/.my.cnf but
that case should
be easy to take care of with a few script lines. The important thing is to warn
of a very insecure