mysqladmin user account not secure?
https://dba.stackexchange.com/questions/17173
-
22-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianسؤال
I still playing with my own DB trying to learn and saw this:
I could change the root password without any problem at all... If I'm in the server I can create an algorithm to start testing password and and someday I will find it, I mean:
Web-Services-iMac-2:~ jbolivar$ mysqladmin -utest1 -p**SOME_THING_HERE** password test1.is it ok to change password using this???:
update table mysql.user set password=PASSWORD('test') where user='test1';
beside that if I create a dictionary table (a table with all possible words) and apply PASSWORD("word") I can make a join and find the value of any pass, right?. Can you give me your opinion about my analysis?
المحلول
Before you continue playing with mysqladmin, you need to make sure your installation is not intentionally giving away access.
For starters, can you login to mysql like this?
# mysql <hit enter>
If you can get just like that, run this command:
SELECT USER(),CURRENT_USER();
- USER() reports how you attempted to authenticate in MySQL
- CURRENT_USER() reports how you were allowed to authenticate in MySQL
If CURRENT_USER() return a user and host where the user is blank, then you were allowed in as an anonymous user. At that point, you can remove anonymou users with this:
DELETE FROM mysql.user WHERE user='';
FLUSH PRIVILEGES;
Now, locate all users with no password with this:
SELECT user,host,password FROM mysql.user;
If any users have no password, you can issue new passwords for user using mysqladmin or you could just assign them as follows:
UPDATE mysql.user SET password=PASSWORD('whateverpassword') WHERE user='...' AND host='...';
FLUSH PRIVILEGES;
Now, check for remote users
SELECT user,host FROM mysql.user WHERE host='%';
If you see any, run this:
DELETE FROM mysql.user WHERE host='%';
FLUSH PRIVILEGES;
Make sure when all is said and done that at least root@localhost and/or root@127.0.0.1 exist and have a password
SELECT user,host,password FROM mysql.user WHERE user='root';
I could probably go on. Here are other posts I have about stuff like this:
