I've inherited development for a website on vps hosting, and have login info for a user with sudo privileges, but don't have the password for the mysql root user. After digging around a little, it looks like the only way to fix this is to stop mysql (something like this: http://waoewaoe.wordpress.com/2010/02/03/recover-reset-mysql-root-password/). But because the website it's serving is currently in production, I'm hoping you guys can enlighten me to any potential consequences (or let me know if there's typically a file where the password would be accessible).
a) during the time mysql is stopped, information in the database won't be accessible, right -- even by other users?
b) will resetting the root password have any impact on other users after mysql has restarted? Will their username/passwords still be valid? The current application is using an account with limited privileges to read/write to the database, and while 5min downtime in the middle of the night would probably go unnoticed, half a day while I tie up loose ends/figure out what I screwed up will land in me hot water.
Thanks in advance for your help!
You can look after back-up scripts and cron jobs. Maybe some script does a dump using the root account. If this is the case the password needs to be stored in cleartext. You can also look at configuration files of application that use the database.
You also need to be lucky. If you are not, you have to stop mysql, change the password and start it again.
Related
I recently installed the XAMPP stack on a desktop and connected via a laptop on the local network. To my surprise, I was able to access phpmyadmin and delete update all mysql tables. Though I understand that I shouldn't use xampp for production (and I'm not), I would still like to learn how to manage these types of obvious security flaws. I know that I can block access to directories via .htacces (http://forum.directadmin.com/showthread.php?t=29089), but I would like something that is a little more comprehensive. How would you restrict running of mysql queries from anywhere except localhost? Is there a way without .htaccess? I thought this was partially the purpose of the root user.
MySQL defined users with domains. If you look at your user_privileges table in the information_schema database you will see that they all have domains. If all your users are defined strictly as localhost, there will be no remote access.
Also, you can edit my.cnf to turn off tcp access to the database, forcing all connections to be by socket. under [mysqld], include the line skip-networking. You will have to configure all your apps to use the socket connection, but I like the socket better anyway.
This will do nothing to protect your data from someone using phpMyAdmin, if phpMyAdmin is installed on the same machine as the database. The safest thing to do is get rid of that app. That's often not practical, however, as it's a useful tool, and so you need to configure phpMyAdmin to require that users authenticate themselves. That means NOT putting the password in the config file. You will need to think about how long sessions are before reauthentication, and things like that.
phpMyAdmin fills me with a rage hotter than a thousand suns whenever I try to configure it, but it is definitely possible to set things up so a password is required each time you connect to the database through phpMyAdmin. You can further limit the damage phpMyAdmin abusers can do my making sure it only connects as a user with limited privileges (for instance, only able to modify the database you're working on at the moment).
I'd like to set up a Mysql database online. I've been trying to find information on this online, but I haven't been able to find a good summary of the whole process. I have very limited experience with webhosting in general, so would really appreciate any pointers.
My questions would be:
- do you needed a dedicated mysql server online, or can I just set one up on my webspace (I have a website that I use for random stuff)
- how do I go about setting up a database on my webspace (if possible)
So far I've uploaded phpMyAdmin to my site, and the start screen loads fine, but I'm stumped for user and password. Do I need to enter my webspace ftp user and password here? Or my mysql user and password (which I'd find weird since I have not actually set up any mysql webspace yet). Or do I need to configure phpMyAdmin for a specific user and password?
So yeah, very basic stuff really... :)
Thanks!
Dave
I'm setting up a lamp server on my android phone, and i didn't managed to get mysql working with the default settings. i had to change the user to root in the my.cnf.
So i'm curious about the dangers of running mysql under the root user.
running MySQL as root, means everything the server does is also done as root (obvious). Especially if you happen to make a mistake, this can cause problems:
if you mis configure the mysql logfile to /etc/passwd, then that important file will probably be overwritten (a normal user cant do that).
root usually as some amount of disk system reserved (per filesystem), thus you can easier make the partition full as root.
code injection: if you have scripts running (for backup of the now root owned files) than you need higher privileges there, and again any mistake might have a bigger impact.
It is ok to login as a root user. However, use it to create new users with limited privileges on objects (tables, indexes, databases, etc) so that those users can't break anything other than what they're allowed to :)
Once the new users are created logout as root and login with those new users. I see you're using linux, so the idea of root user applies to MySQL in a similar way as in linux.
You can check the official documentation about this: Adding users and granting privileges
I'm quite a beginner when it comes to working with networks and the like, so apologizes up front. A while back I set up a mySQL database locally on my machine, and have built a number of simple programs that work with it. (aka root:localhost sort of thing).
This has been great, but I'm now hoping to allow other colleagues at my work to access the database from their machines, but I have no idea how.
Likely there will be some network protection issues (firewalls etc), so that may need to be taken into account... (although I have IT's help on this, neither IT or myself really know what is required to 'connect' to the database).
For example, is it just an IP I need? Do I have to change the setup of my database? I understand that localhost would not work from my colleagues computer's, for obvious reasons, I have no idea what would go in its place for others to access it.
I also do not mind having my machine run as the dedicated database machine... I would not be able to run it off a dedicated server or anything like that, beyond my machine.
Any help would be much appreciated!
Thanks.
First of all, what your colleagues need are:
The IP Address where MySQL server is
running.
User and Password to connect remotely
Have the port 3306 open on the network
A MySQL Client (mysql workbench, mysql query browser, toad, heidi or just the Command Line tool).
When you create user in MySQL the have to be something like this:
'root'#'localhost'
That means, the user will work if you connect from localhost with the user root. So you can create user allowed to connect from anywhere:
'juanperez'#'%'
And finally you have be careful about what privileges are you granting to them. Do not forget to comment a line in the options file of the MySQL that says "bind-address" (this options prevents remote connection).
For example, is it just an IP I need?
Yes. You'll be much happier if you set up proper domain names, but a domain name is just an alias for the IP address.
Do I have to change the setup of my database?
No, but... You have to add some user credentials to support remote logins. That's a change, but not a change to a schema. It's changes to the permissions.
I understand that localhost would not work from my colleagues computer's, for obvious reasons, I have no idea what would go in its place for others to access it.
What MySQL Admin tools are you using? Often there is good help there.
You must read reference manual 4.1 or 5.0
For whatever version is appropriate.
It's very clear.
A user is identified by a username#hostname. You can specify IP addresses (or even "%" for the hostname.
You will use following commandline to connect -
mysql -u<user-id> -p<password> -h<your-hostname-or-ipaddress>
For applications running on different machines trying to connect to your database, you only need to replace 'localhost' with your machine's hostname or ipaddress.
In, general if you are able to ping your machine from a different system, your database can be connected to from that machine, just use whatever name you used for 'pinging' in place of localhost.
Use your workstation IP address or workstation name. You will need to enable remote access. Go to this link for how:
http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html
I can not use MySQL. MySQL is on my local computer. Currently I added skip-grant-tables in My.ini so I can use MySQL. But I have no privilege to create a new database. My problem is tough, although I asked related questions on SO, but no answer can resolve my problem. I almost give up. So I lower my expectation. I am developing a website, so I need to create database, tables and operate tables. You don't have to consider security. Is there a simple solution that can give me privilege to create a new database? Maybe by adding some command in my.ini or something? You won't need to completely resolve my problem. Maybe after the development, I will upload the database and tables to another server(The current database server is my personal computer, windows XP) so I can uninstall and reinstall MySQL.
The root of problem is that I lack privileges.
I'm not sure if this will work for you, since you might need to have elevated privileges in the first place, but it's worth a shot.
There should be a database called mysql. Take a look in there, and you'll see a table called users. For each record, there's a heap of columns named Select_priv, Insert_priv, etc. For your user record, change each of these to "Y".
It sounds a bit like your installation went astray.
Maybe uninstall/resinstall is your best option, assuming that you've never been able to connect, so there is no data to consider.
Take your time on the installation, and have a look at MySQL Postinstallation Notes
you have 4 questions open about this specific problem. instead of opening duplicates, you should instead update just one of them with new information.
but the simple solution to your problem is to download the ZIP file of mysql for your mysql version from the mysql website and just copy the data\mysql folder in to your data file, then restart the service. this will give you a root user with a blank password that has full access.