Comments - mysql_secure_installation

A lot of these scripts that come with MySQL and MariaDB are lacking some documentation. I have several instances of MariaDB running and I wanted to run this script on my 2nd instance, with its socket file in /run/mysqld/mysqld2.sock. Tried man mysql_secure_installation and mysql_secure_installation --help and looked here, but it did not mention any way to do this.

However, it seems it just works with the same arguments as with mysql itself, so:

mysql_secure_installation -S /run/mysqld/mysqld2.sock did the trick!

!Attention! In my use case it asked the following:

This was a bit misleading because it seems that the unix_socket plugin is enabled by default for root@localhost on my installation (Mariadb 10.4.6) and it was not disabled by the script.

To clarify: I don't want any local user (not even root) to be able to connect to the database directly using unix_socket without issuing a password. This is because I setup encryption-at-rest and it would not add too much extra security if one can 'root' the machine and easily circumvent this encryption (by just logging in as root using the unix_socket).

I agree with T.Niessink. I do not want any local user including root to connect to the DB without knowing the root user's db password. However while logged into unix as the root user (completing setup of a new server), having finishing the mysql_secure_installation process for MariaDB 10.5.15, and having entered No to the question regarding switching to unix socket authentication, I was able to access the MariaDB command prompt by simply typing mysql at the unix command prompt!! Did not have to enter -p, was not asked for a password, and was in MariaDB as a root user! I also tried "mysql -p" and hit enter at the password prompt and was able to connect as the root user in MariaDB. This seems like a very bad thing!

Sooo, we should say No? I sort of understand your post, but not the recommendation. I would appreciate if you would be so kind as to elaborate on what we should select in this option. Thank you

As of Ubuntu 15.10, the root user is authenticated using the unix_socket and it seems that the other steps in this script are completed during installation.

So is the ALLCAPS disclaimer no longer true for Ubuntu 15.10+?

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

On arch I followed these these steps

sudo zfs create -o recordsize=8k -o primarycache=metadata -o mountpoint=/srv/data zdata/data sudo mysql_install_db --user=mysql --basedir=/usr --datadir=/srv/data sudo systemctl start mysqld sudo mysql_secure_installation

The last command asks for the current password. Dispite it saying that the password should be empty, this does not work:

Enter current password for root (enter for none): ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

Please update this description and correct the error.

Thanks!

In Linux Mint you have to add sudo before run this script: $ sudo mysql_secure_installation

ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO) this will show you if you do not add sudo.

I have used mysql in Ubuntu and no need to add sudo to use it.

For example: Ubuntu: $ mysql -u root -p, this work fine. Linux Mint: $ sudo mysql -u root -p

This seems normal. If there's a root password it needs to be specified. Only if there is none does simply pressing enter work.