1MYSQL_SECURE_INSTALLATION(1) MySQL Database SystemMYSQL_SECURE_INSTALLATION(1)
2
3
4

NAME

6       mysql_secure_installation - improve MySQL installation security
7

SYNOPSIS

9       mysql_secure_installation
10

DESCRIPTION

12       This program enables you to improve the security of your MySQL
13       installation in the following ways:
14
15       ·   You can set a password for root accounts.
16
17       ·   You can remove root accounts that are accessible from outside the
18           local host.
19
20       ·   You can remove anonymous-user accounts.
21
22       ·   You can remove the test database (which by default can be accessed
23           by all users, even anonymous users), and privileges that permit
24           anyone to access databases with names that start with test_.
25
26       mysql_secure_installation helps you implement security recommendations
27       similar to those described at Section 2.10.4, “Securing the Initial
28       MySQL Account”.
29
30       Normal usage is to connect to the local MySQL server; invoke
31       mysql_secure_installation without arguments:
32
33           shell> mysql_secure_installation
34
35       When executed, mysql_secure_installation prompts you to determine which
36       actions to perform.
37
38       The validate_password component can be used for password strength
39       checking. If the plugin is not installed, mysql_secure_installation
40       prompts the user whether to install it. Any passwords entered later are
41       checked using the plugin if it is enabled.
42
43       Most of the usual MySQL client options such as --host and --port can be
44       used on the command line and in option files. For example, to connect
45       to the local server over IPv6 using port 3307, use this command:
46
47           shell> mysql_secure_installation --host=::1 --port=3307
48
49       mysql_secure_installation supports the following options, which can be
50       specified on the command line or in the [mysql_secure_installation] and
51       [client] groups of an option file. For information about option files
52       used by MySQL programs, see Section 4.2.7, “Using Option Files”.
53
54       ·   --help, -?
55
56           Display a help message and exit.
57
58       ·   --defaults-extra-file=file_name
59
60           Read this option file after the global option file but (on Unix)
61           before the user option file. If the file does not exist or is
62           otherwise inaccessible, an error occurs.  file_name is interpreted
63           relative to the current directory if given as a relative path name
64           rather than a full path name.
65
66           For additional information about this and other option-file
67           options, see Section 4.2.8, “Command-Line Options that Affect
68           Option-File Handling”.
69
70       ·   --defaults-file=file_name
71
72           Use only the given option file. If the file does not exist or is
73           otherwise inaccessible, an error occurs.  file_name is interpreted
74           relative to the current directory if given as a relative path name
75           rather than a full path name.
76
77           For additional information about this and other option-file
78           options, see Section 4.2.8, “Command-Line Options that Affect
79           Option-File Handling”.
80
81       ·   --defaults-group-suffix=str
82
83           Read not only the usual option groups, but also groups with the
84           usual names and a suffix of str. For example,
85           mysql_secure_installation normally reads the [client] and
86           [mysql_secure_installation] groups. If the
87           --defaults-group-suffix=_other option is given,
88           mysql_secure_installation also reads the [client_other] and
89           [mysql_secure_installation_other] groups.
90
91           For additional information about this and other option-file
92           options, see Section 4.2.8, “Command-Line Options that Affect
93           Option-File Handling”.
94
95       ·   --host=host_name, -h host_name
96
97           Connect to the MySQL server on the given host.
98
99       ·   --no-defaults
100
101           Do not read any option files. If program startup fails due to
102           reading unknown options from an option file, --no-defaults can be
103           used to prevent them from being read.
104
105           The exception is that the .mylogin.cnf file, if it exists, is read
106           in all cases. This permits passwords to be specified in a safer way
107           than on the command line even when --no-defaults is used.
108           (.mylogin.cnf is created by the mysql_config_editor utility. See
109           mysql_config_editor(1).)
110
111           For additional information about this and other option-file
112           options, see Section 4.2.8, “Command-Line Options that Affect
113           Option-File Handling”.
114
115       ·   --password=password, -p password
116
117           This option is accepted but ignored. Whether or not this option is
118           used, mysql_secure_installation always prompts the user for a
119           password.
120
121       ·   --port=port_num, -P port_num
122
123           The TCP/IP port number to use for the connection.
124
125       ·   --print-defaults
126
127           Print the program name and all options that it gets from option
128           files.
129
130           For additional information about this and other option-file
131           options, see Section 4.2.8, “Command-Line Options that Affect
132           Option-File Handling”.
133
134       ·   --protocol={TCP|SOCKET|PIPE|MEMORY}
135
136           The connection protocol to use for connecting to the server. It is
137           useful when the other connection parameters normally would cause a
138           protocol to be used other than the one you want. For details on the
139           permissible values, see Section 4.2.2, “Connecting to the MySQL
140           Server”.
141
142       ·   --socket=path, -S path
143
144           For connections to localhost, the Unix socket file to use, or, on
145           Windows, the name of the named pipe to use.
146
147       ·   --ssl*
148
149           Options that begin with --ssl specify whether to connect to the
150           server using SSL and indicate where to find SSL keys and
151           certificates. See Section 6.4.2, “Command Options for Encrypted
152           Connections”.
153
154       ·   --ssl-fips-mode={OFF|ON|STRICT} Controls whether to enable FIPS
155           mode on the client side. The --ssl-fips-mode option differs from
156           other --ssl-xxx options in that it is not used to establish
157           encrypted connections, but rather to affect which cryptographic
158           operations are permitted. See Section 6.6, “FIPS Support”.
159
160           These --ssl-fips-mode values are permitted:
161
162           ·   OFF: Disable FIPS mode.
163
164           ·   ON: Enable FIPS mode.
165
166           ·   STRICT: Enable “strict” FIPS mode.
167
168
169               Note
170               If the OpenSSL FIPS Object Module is not available, the only
171               permitted value for --ssl-fips-mode is OFF. In this case,
172               setting --ssl-fips-mode to ON or STRICT causes the client to
173               produce a warning at startup and to operate in non-FIPS mode.
174
175       ·   --tls-ciphersuites=ciphersuite_list
176
177           For client programs, specifies which TLSv1.3 ciphersuites the
178           client permits for encrypted connections. The value is a list of
179           one or more colon-separated ciphersuite names. The ciphersuites
180           that can be named for this option depend on the SSL library used to
181           compile MySQL. For details, see Section 6.4.6, “Encrypted
182           Connection Protocols and Ciphers”.
183
184           This option was added in MySQL 8.0.16.
185
186       ·   --tls-version=protocol_list
187
188           The protocols the client permits for encrypted connections. The
189           value is a list of one or more comma-separated protocol names. The
190           protocols that can be named for this option depend on the SSL
191           library used to compile MySQL. For details, see Section 6.4.6,
192           “Encrypted Connection Protocols and Ciphers”.
193
194       ·   --use-default
195
196           Execute noninteractively. This option can be used for unattended
197           installation operations.
198
199       ·   --user=user_name, -u user_name
200
201           The MySQL user name to use when connecting to the server.
202

COPYRIGHT

204       Copyright © 1997, 2019, Oracle and/or its affiliates. All rights
205       reserved.
206
207       This documentation is free software; you can redistribute it and/or
208       modify it only under the terms of the GNU General Public License as
209       published by the Free Software Foundation; version 2 of the License.
210
211       This documentation is distributed in the hope that it will be useful,
212       but WITHOUT ANY WARRANTY; without even the implied warranty of
213       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
214       General Public License for more details.
215
216       You should have received a copy of the GNU General Public License along
217       with the program; if not, write to the Free Software Foundation, Inc.,
218       51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA or see
219       http://www.gnu.org/licenses/.
220
221

SEE ALSO

223       For more information, please refer to the MySQL Reference Manual, which
224       may already be installed locally and which is also available online at
225       http://dev.mysql.com/doc/.
226

AUTHOR

228       Oracle Corporation (http://dev.mysql.com/).
229
230
231
232MySQL 8.0                         02/20/2019      MYSQL_SECURE_INSTALLATION(1)