Currently there is a problem with the MySQL default install in Debian/Etch (and probably other distributions too). It sets up “root” with dba access with no password by default, the following mysql command will give a list of all MySQL accounts with Grant_priv access (one of the capabilities that gives great access to the database server) and shows their hashed password (as a matter of procedure I truncated the hash for my debian-sys-maint account). As you can see the “root” and “debian-sys-maint” accounts have such access. The debian-sys-maint account is used for Debian package management tools and it’s password is stored in the /etc/mysql/debian.cnf file.

$ echo "select Host,User,Password from user where Grant_priv='y'" | mysql -u root mysql
Host    User    Password
localhost       root
aeon    root
localhost       debian-sys-maint        *882F90515FCEE65506CBFCD7

It seems likely that most people who have installed MySQL won’t realise this problem and will continue to run their machine in that manner, this is a serious issue for multi-user machines. There is currently Debian bug #418672 about this issue. In my tests this issue affects Etch machines as well as machines running Unstable.

Related posts:

1. installing Xen domU on Debian Etch I have just been installing a Xen domU on Debian...
2. installing Debian Etch A few days ago I installed Debian/Etch on my Thinkpad....
3. Debian SE Linux Yesterday Erich Schubert blogged about reducing Debian SE Linux work...
4. how to run dynamic ssh tunnels service smtps { disable = no socket_type = stream wait...
5. booting from USB for security Sune Vuorela asks about how to secure important data such...