1MYSQL_SECURE_INSTALLATION(1) MySQL Database SystemMYSQL_SECURE_INSTALLATION(1)
2
3
4
6 mysql_secure_installation - improve MySQL installation security
7
9 mysql_secure_installation
10
12 This program enables you to improve the security of your MySQL
13 installation in the following ways:
14
15 · You can set a password for root accounts.
16
17 · You can remove root accounts that are accessible from outside the
18 local host.
19
20 · You can remove anonymous-user accounts.
21
22 · You can remove the test database (which by default can be accessed
23 by all users, even anonymous users), and privileges that permit
24 anyone to access databases with names that start with test_.
25
26 mysql_secure_installation helps you implement security recommendations
27 similar to those described at Section 2.10.4, “Securing the Initial
28 MySQL Account”.
29
30 Normal usage is to connect to the local MySQL server; invoke
31 mysql_secure_installation without arguments:
32
33 shell> mysql_secure_installation
34
35 When executed, mysql_secure_installation prompts you to determine which
36 actions to perform.
37
38 The validate_password component can be used for password strength
39 checking. If the plugin is not installed, mysql_secure_installation
40 prompts the user whether to install it. Any passwords entered later are
41 checked using the plugin if it is enabled.
42
43 Most of the usual MySQL client options such as --host and --port can be
44 used on the command line and in option files. For example, to connect
45 to the local server over IPv6 using port 3307, use this command:
46
47 shell> mysql_secure_installation --host=::1 --port=3307
48
49 mysql_secure_installation supports the following options, which can be
50 specified on the command line or in the [mysql_secure_installation] and
51 [client] groups of an option file. For information about option files
52 used by MySQL programs, see Section 4.2.7, “Using Option Files”.
53
54 · --help, -?
55
56 Display a help message and exit.
57
58 · --defaults-extra-file=file_name
59
60 Read this option file after the global option file but (on Unix)
61 before the user option file. If the file does not exist or is
62 otherwise inaccessible, an error occurs. file_name is interpreted
63 relative to the current directory if given as a relative path name
64 rather than a full path name.
65
66 For additional information about this and other option-file
67 options, see Section 4.2.8, “Command-Line Options that Affect
68 Option-File Handling”.
69
70 · --defaults-file=file_name
71
72 Use only the given option file. If the file does not exist or is
73 otherwise inaccessible, an error occurs. file_name is interpreted
74 relative to the current directory if given as a relative path name
75 rather than a full path name.
76
77 For additional information about this and other option-file
78 options, see Section 4.2.8, “Command-Line Options that Affect
79 Option-File Handling”.
80
81 · --defaults-group-suffix=str
82
83 Read not only the usual option groups, but also groups with the
84 usual names and a suffix of str. For example,
85 mysql_secure_installation normally reads the [client] and
86 [mysql_secure_installation] groups. If the
87 --defaults-group-suffix=_other option is given,
88 mysql_secure_installation also reads the [client_other] and
89 [mysql_secure_installation_other] groups.
90
91 For additional information about this and other option-file
92 options, see Section 4.2.8, “Command-Line Options that Affect
93 Option-File Handling”.
94
95 · --host=host_name, -h host_name
96
97 Connect to the MySQL server on the given host.
98
99 · --no-defaults
100
101 Do not read any option files. If program startup fails due to
102 reading unknown options from an option file, --no-defaults can be
103 used to prevent them from being read.
104
105 The exception is that the .mylogin.cnf file, if it exists, is read
106 in all cases. This permits passwords to be specified in a safer way
107 than on the command line even when --no-defaults is used.
108 (.mylogin.cnf is created by the mysql_config_editor utility. See
109 mysql_config_editor(1).)
110
111 For additional information about this and other option-file
112 options, see Section 4.2.8, “Command-Line Options that Affect
113 Option-File Handling”.
114
115 · --password=password, -p password
116
117 This option is accepted but ignored. Whether or not this option is
118 used, mysql_secure_installation always prompts the user for a
119 password.
120
121 · --port=port_num, -P port_num
122
123 The TCP/IP port number to use for the connection.
124
125 · --print-defaults
126
127 Print the program name and all options that it gets from option
128 files.
129
130 For additional information about this and other option-file
131 options, see Section 4.2.8, “Command-Line Options that Affect
132 Option-File Handling”.
133
134 · --protocol={TCP|SOCKET|PIPE|MEMORY}
135
136 The connection protocol to use for connecting to the server. It is
137 useful when the other connection parameters normally would cause a
138 protocol to be used other than the one you want. For details on the
139 permissible values, see Section 4.2.2, “Connecting to the MySQL
140 Server”.
141
142 · --socket=path, -S path
143
144 For connections to localhost, the Unix socket file to use, or, on
145 Windows, the name of the named pipe to use.
146
147 · --ssl*
148
149 Options that begin with --ssl specify whether to connect to the
150 server using SSL and indicate where to find SSL keys and
151 certificates. See Section 6.4.2, “Command Options for Encrypted
152 Connections”.
153
154 · --ssl-fips-mode={OFF|ON|STRICT} Controls whether to enable FIPS
155 mode on the client side. The --ssl-fips-mode option differs from
156 other --ssl-xxx options in that it is not used to establish
157 encrypted connections, but rather to affect which cryptographic
158 operations are permitted. See Section 6.6, “FIPS Support”.
159
160 These --ssl-fips-mode values are permitted:
161
162 · OFF: Disable FIPS mode.
163
164 · ON: Enable FIPS mode.
165
166 · STRICT: Enable “strict” FIPS mode.
167
168
169 Note
170 If the OpenSSL FIPS Object Module is not available, the only
171 permitted value for --ssl-fips-mode is OFF. In this case,
172 setting --ssl-fips-mode to ON or STRICT causes the client to
173 produce a warning at startup and to operate in non-FIPS mode.
174
175 · --tls-ciphersuites=ciphersuite_list
176
177 For client programs, specifies which TLSv1.3 ciphersuites the
178 client permits for encrypted connections. The value is a list of
179 one or more colon-separated ciphersuite names. The ciphersuites
180 that can be named for this option depend on the SSL library used to
181 compile MySQL. For details, see Section 6.4.6, “Encrypted
182 Connection Protocols and Ciphers”.
183
184 This option was added in MySQL 8.0.16.
185
186 · --tls-version=protocol_list
187
188 The protocols the client permits for encrypted connections. The
189 value is a list of one or more comma-separated protocol names. The
190 protocols that can be named for this option depend on the SSL
191 library used to compile MySQL. For details, see Section 6.4.6,
192 “Encrypted Connection Protocols and Ciphers”.
193
194 · --use-default
195
196 Execute noninteractively. This option can be used for unattended
197 installation operations.
198
199 · --user=user_name, -u user_name
200
201 The MySQL user name to use when connecting to the server.
202
204 Copyright © 1997, 2019, Oracle and/or its affiliates. All rights
205 reserved.
206
207 This documentation is free software; you can redistribute it and/or
208 modify it only under the terms of the GNU General Public License as
209 published by the Free Software Foundation; version 2 of the License.
210
211 This documentation is distributed in the hope that it will be useful,
212 but WITHOUT ANY WARRANTY; without even the implied warranty of
213 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
214 General Public License for more details.
215
216 You should have received a copy of the GNU General Public License along
217 with the program; if not, write to the Free Software Foundation, Inc.,
218 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA or see
219 http://www.gnu.org/licenses/.
220
221
223 For more information, please refer to the MySQL Reference Manual, which
224 may already be installed locally and which is also available online at
225 http://dev.mysql.com/doc/.
226
228 Oracle Corporation (http://dev.mysql.com/).
229
230
231
232MySQL 8.0 02/20/2019 MYSQL_SECURE_INSTALLATION(1)