1MYSQL_SECURE_INSTALLATION(1) MySQL Database SystemMYSQL_SECURE_INSTALLATION(1)
2
3
4
6 mysql_secure_installation - improve MySQL installation security
7
9 mysql_secure_installation
10
12 This program enables you to improve the security of your MySQL
13 installation in the following ways:
14
15 · You can set a password for root accounts.
16
17 · You can remove root accounts that are accessible from outside the
18 local host.
19
20 · You can remove anonymous-user accounts.
21
22 · You can remove the test database (which by default can be accessed
23 by all users, even anonymous users), and privileges that permit
24 anyone to access databases with names that start with test_.
25
26 mysql_secure_installation helps you implement security recommendations
27 similar to those described at Section 2.10.4, “Securing the Initial
28 MySQL Account”.
29
30 Normal usage is to connect to the local MySQL server; invoke
31 mysql_secure_installation without arguments:
32
33 shell> mysql_secure_installation
34
35 When executed, mysql_secure_installation prompts you to determine which
36 actions to perform.
37
38 The validate_password component can be used for password strength
39 checking. If the plugin is not installed, mysql_secure_installation
40 prompts the user whether to install it. Any passwords entered later are
41 checked using the plugin if it is enabled.
42
43 Most of the usual MySQL client options such as --host and --port can be
44 used on the command line and in option files. For example, to connect
45 to the local server over IPv6 using port 3307, use this command:
46
47 shell> mysql_secure_installation --host=::1 --port=3307
48
49 mysql_secure_installation supports the following options, which can be
50 specified on the command line or in the [mysql_secure_installation] and
51 [client] groups of an option file. For information about option files
52 used by MySQL programs, see Section 4.2.2.2, “Using Option Files”.
53
54 · --help, -?
55
56 Display a help message and exit.
57
58 · --defaults-extra-file=file_name
59
60 Read this option file after the global option file but (on Unix)
61 before the user option file. If the file does not exist or is
62 otherwise inaccessible, an error occurs. file_name is interpreted
63 relative to the current directory if given as a relative path name
64 rather than a full path name.
65
66 For additional information about this and other option-file
67 options, see Section 4.2.2.3, “Command-Line Options that Affect
68 Option-File Handling”.
69
70 · --defaults-file=file_name
71
72 Use only the given option file. If the file does not exist or is
73 otherwise inaccessible, an error occurs. file_name is interpreted
74 relative to the current directory if given as a relative path name
75 rather than a full path name.
76
77 For additional information about this and other option-file
78 options, see Section 4.2.2.3, “Command-Line Options that Affect
79 Option-File Handling”.
80
81 · --defaults-group-suffix=str
82
83 Read not only the usual option groups, but also groups with the
84 usual names and a suffix of str. For example,
85 mysql_secure_installation normally reads the [client] and
86 [mysql_secure_installation] groups. If the
87 --defaults-group-suffix=_other option is given,
88 mysql_secure_installation also reads the [client_other] and
89 [mysql_secure_installation_other] groups.
90
91 For additional information about this and other option-file
92 options, see Section 4.2.2.3, “Command-Line Options that Affect
93 Option-File Handling”.
94
95 · --host=host_name, -h host_name
96
97 Connect to the MySQL server on the given host.
98
99 · --no-defaults
100
101 Do not read any option files. If program startup fails due to
102 reading unknown options from an option file, --no-defaults can be
103 used to prevent them from being read.
104
105 The exception is that the .mylogin.cnf file, if it exists, is read
106 in all cases. This permits passwords to be specified in a safer way
107 than on the command line even when --no-defaults is used.
108 (.mylogin.cnf is created by the mysql_config_editor utility. See
109 mysql_config_editor(1).)
110
111 For additional information about this and other option-file
112 options, see Section 4.2.2.3, “Command-Line Options that Affect
113 Option-File Handling”.
114
115 · --password=password, -p password
116
117 This option is accepted but ignored. Whether or not this option is
118 used, mysql_secure_installation always prompts the user for a
119 password.
120
121 · --port=port_num, -P port_num
122
123 For TCP/IP connections, the port number to use.
124
125 · --print-defaults
126
127 Print the program name and all options that it gets from option
128 files.
129
130 For additional information about this and other option-file
131 options, see Section 4.2.2.3, “Command-Line Options that Affect
132 Option-File Handling”.
133
134 · --protocol={TCP|SOCKET|PIPE|MEMORY}
135
136 The connection protocol to use for connecting to the server. It is
137 useful when the other connection parameters normally result in use
138 of a protocol other than the one you want. For details on the
139 permissible values, see Section 4.2.4, “Connecting to the MySQL
140 Server Using Command Options”.
141
142 · --socket=path, -S path
143
144 For connections to localhost, the Unix socket file to use, or, on
145 Windows, the name of the named pipe to use.
146
147 On Windows, this option applies only if the server was started with
148 the named_pipe system variable enabled to support named-pipe
149 connections. In addition, the the connection must be a member of
150 the Windows group specified by the named_pipe_full_access_group
151 system variable.
152
153 · --ssl*
154
155 Options that begin with --ssl specify whether to connect to the
156 server using SSL and indicate where to find SSL keys and
157 certificates. See the section called “Command Options for Encrypted
158 Connections”.
159
160 · --ssl-fips-mode={OFF|ON|STRICT} Controls whether to enable FIPS
161 mode on the client side. The --ssl-fips-mode option differs from
162 other --ssl-xxx options in that it is not used to establish
163 encrypted connections, but rather to affect which cryptographic
164 operations are permitted. See Section 6.5, “FIPS Support”.
165
166 These --ssl-fips-mode values are permitted:
167
168 · OFF: Disable FIPS mode.
169
170 · ON: Enable FIPS mode.
171
172 · STRICT: Enable “strict” FIPS mode.
173
174
175 Note
176 If the OpenSSL FIPS Object Module is not available, the only
177 permitted value for --ssl-fips-mode is OFF. In this case,
178 setting --ssl-fips-mode to ON or STRICT causes the client to
179 produce a warning at startup and to operate in non-FIPS mode.
180
181 · --tls-ciphersuites=ciphersuite_list
182
183 The permissible ciphersuites for encrypted connections that use
184 TLSv1.3. The value is a list of one or more colon-separated
185 ciphersuite names. The ciphersuites that can be named for this
186 option depend on the SSL library used to compile MySQL. For
187 details, see Section 6.3.2, “Encrypted Connection TLS Protocols and
188 Ciphers”.
189
190 This option was added in MySQL 8.0.16.
191
192 · --tls-version=protocol_list
193
194 The permissible TLS protocols for encrypted connections. The value
195 is a list of one or more comma-separated protocol names. The
196 protocols that can be named for this option depend on the SSL
197 library used to compile MySQL. For details, see Section 6.3.2,
198 “Encrypted Connection TLS Protocols and Ciphers”.
199
200 · --use-default
201
202 Execute noninteractively. This option can be used for unattended
203 installation operations.
204
205 · --user=user_name, -u user_name
206
207 The user name of the MySQL account to use for connecting to the
208 server.
209
211 Copyright © 1997, 2020, Oracle and/or its affiliates. All rights
212 reserved.
213
214 This documentation is free software; you can redistribute it and/or
215 modify it only under the terms of the GNU General Public License as
216 published by the Free Software Foundation; version 2 of the License.
217
218 This documentation is distributed in the hope that it will be useful,
219 but WITHOUT ANY WARRANTY; without even the implied warranty of
220 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
221 General Public License for more details.
222
223 You should have received a copy of the GNU General Public License along
224 with the program; if not, write to the Free Software Foundation, Inc.,
225 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA or see
226 http://www.gnu.org/licenses/.
227
228
230 For more information, please refer to the MySQL Reference Manual, which
231 may already be installed locally and which is also available online at
232 http://dev.mysql.com/doc/.
233
235 Oracle Corporation (http://dev.mysql.com/).
236
237
238
239MySQL 8.0 03/06/2020 MYSQL_SECURE_INSTALLATION(1)