mysqladmin user account not secure?

Posted on

Question :

I still playing with my own DB trying to learn and saw this:

enter image description here

  1. I could change the root password without any problem at all… If I’m in the server I can create an algorithm to start testing password and and someday I will find it, I mean:

    Web-Services-iMac-2:~ jbolivar$ mysqladmin -utest1 -p**SOME_THING_HERE** password test1.

  2. is it ok to change password using this???:

    update table mysql.user set password=PASSWORD(‘test’) where user=’test1′;

beside that if I create a dictionary table (a table with all possible words) and apply PASSWORD(“word”) I can make a join and find the value of any pass, right?.
Can you give me your opinion about my analysis?

Answer :

Before you continue playing with mysqladmin, you need to make sure your installation is not intentionally giving away access.

For starters, can you login to mysql like this?

# mysql <hit enter>

If you can get just like that, run this command:

SELECT USER(),CURRENT_USER();
  • USER() reports how you attempted to authenticate in MySQL
  • CURRENT_USER() reports how you were allowed to authenticate in MySQL

If CURRENT_USER() return a user and host where the user is blank, then you were allowed in as an anonymous user. At that point, you can remove anonymou users with this:

DELETE FROM mysql.user WHERE user='';
FLUSH PRIVILEGES;

Now, locate all users with no password with this:

SELECT user,host,password FROM mysql.user;

If any users have no password, you can issue new passwords for user using mysqladmin or you could just assign them as follows:

UPDATE mysql.user SET password=PASSWORD('whateverpassword') WHERE user='...' AND host='...';
FLUSH PRIVILEGES;

Now, check for remote users

SELECT user,host FROM mysql.user WHERE host='%';

If you see any, run this:

DELETE FROM mysql.user WHERE host='%';
FLUSH PRIVILEGES;

Make sure when all is said and done that at least root@localhost and/or root@127.0.0.1 exist and have a password

SELECT user,host,password FROM mysql.user WHERE user='root';

I could probably go on. Here are other posts I have about stuff like this:

Leave a Reply

Your email address will not be published.