1MYSQL_SECURE_INSTALLATION(1) MySQL Database SystemMYSQL_SECURE_INSTALLATION(1)
2
3
4
6 mysql_secure_installation - improve MySQL installation security
7
9 mysql_secure_installation
10
12 This program enables you to improve the security of your MySQL
13 installation in the following ways:
14
15 · You can set a password for root accounts.
16
17 · You can remove root accounts that are accessible from outside the
18 local host.
19
20 · You can remove anonymous-user accounts.
21
22 · You can remove the test database (which by default can be accessed
23 by all users, even anonymous users), and privileges that permit
24 anyone to access databases with names that start with test_.
25
26 mysql_secure_installation helps you implement security recommendations
27 similar to those described at Section 2.10.4, “Securing the Initial
28 MySQL Account”.
29
30 Normal usage is to connect to the local MySQL server; invoke
31 mysql_secure_installation without arguments:
32
33 shell> mysql_secure_installation
34
35 When executed, mysql_secure_installation prompts you to determine which
36 actions to perform.
37
38 The validate_password component can be used for password strength
39 checking. If the plugin is not installed, mysql_secure_installation
40 prompts the user whether to install it. Any passwords entered later are
41 checked using the plugin if it is enabled.
42
43 Most of the usual MySQL client options such as --host and --port can be
44 used on the command line and in option files. For example, to connect
45 to the local server over IPv6 using port 3307, use this command:
46
47 shell> mysql_secure_installation --host=::1 --port=3307
48
49 mysql_secure_installation supports the following options, which can be
50 specified on the command line or in the [mysql_secure_installation] and
51 [client] groups of an option file. For information about option files
52 used by MySQL programs, see Section 4.2.2.2, “Using Option Files”.
53
54 · --help, -? Display a help message and exit.
55
56 · --defaults-extra-file=file_name Read this option file after the
57 global option file but (on Unix) before the user option file. If
58 the file does not exist or is otherwise inaccessible, an error
59 occurs. file_name is interpreted relative to the current directory
60 if given as a relative path name rather than a full path name.
61
62 For additional information about this and other option-file
63 options, see Section 4.2.2.3, “Command-Line Options that Affect
64 Option-File Handling”.
65
66 · --defaults-file=file_name Use only the given option file. If the
67 file does not exist or is otherwise inaccessible, an error occurs.
68 file_name is interpreted relative to the current directory if given
69 as a relative path name rather than a full path name.
70
71 For additional information about this and other option-file
72 options, see Section 4.2.2.3, “Command-Line Options that Affect
73 Option-File Handling”.
74
75 · --defaults-group-suffix=str Read not only the usual option groups,
76 but also groups with the usual names and a suffix of str. For
77 example, mysql_secure_installation normally reads the [client] and
78 [mysql_secure_installation] groups. If the
79 --defaults-group-suffix=_other option is given,
80 mysql_secure_installation also reads the [client_other] and
81 [mysql_secure_installation_other] groups.
82
83 For additional information about this and other option-file
84 options, see Section 4.2.2.3, “Command-Line Options that Affect
85 Option-File Handling”.
86
87 · --host=host_name, -h host_name Connect to the MySQL server on the
88 given host.
89
90 · --no-defaults Do not read any option files. If program startup
91 fails due to reading unknown options from an option file,
92 --no-defaults can be used to prevent them from being read.
93
94 The exception is that the .mylogin.cnf file, if it exists, is read
95 in all cases. This permits passwords to be specified in a safer way
96 than on the command line even when --no-defaults is used.
97 (.mylogin.cnf is created by the mysql_config_editor utility. See
98 mysql_config_editor(1).)
99
100 For additional information about this and other option-file
101 options, see Section 4.2.2.3, “Command-Line Options that Affect
102 Option-File Handling”.
103
104 · --password=password, -p password This option is accepted but
105 ignored. Whether or not this option is used,
106 mysql_secure_installation always prompts the user for a password.
107
108 · --port=port_num, -P port_num For TCP/IP connections, the port
109 number to use.
110
111 · --print-defaults Print the program name and all options that it
112 gets from option files.
113
114 For additional information about this and other option-file
115 options, see Section 4.2.2.3, “Command-Line Options that Affect
116 Option-File Handling”.
117
118 · --protocol={TCP|SOCKET|PIPE|MEMORY} The transport protocol to use
119 for connecting to the server. It is useful when the other
120 connection parameters normally result in use of a protocol other
121 than the one you want. For details on the permissible values, see
122 Section 4.2.7, “Connection Transport Protocols”.
123
124 · --socket=path, -S path For connections to localhost, the Unix
125 socket file to use, or, on Windows, the name of the named pipe to
126 use.
127
128 On Windows, this option applies only if the server was started with
129 the named_pipe system variable enabled to support named-pipe
130 connections. In addition, the the connection must be a member of
131 the Windows group specified by the named_pipe_full_access_group
132 system variable.
133
134 · --ssl* Options that begin with --ssl specify whether to connect to
135 the server using SSL and indicate where to find SSL keys and
136 certificates. See the section called “Command Options for Encrypted
137 Connections”.
138
139 · --ssl-fips-mode={OFF|ON|STRICT} Controls whether to enable FIPS
140 mode on the client side. The --ssl-fips-mode option differs from
141 other --ssl-xxx options in that it is not used to establish
142 encrypted connections, but rather to affect which cryptographic
143 operations to permit. See Section 6.8, “FIPS Support”.
144
145 These --ssl-fips-mode values are permitted:
146
147 · OFF: Disable FIPS mode.
148
149 · ON: Enable FIPS mode.
150
151 · STRICT: Enable “strict” FIPS mode.
152
153
154 Note
155 If the OpenSSL FIPS Object Module is not available, the only
156 permitted value for --ssl-fips-mode is OFF. In this case,
157 setting --ssl-fips-mode to ON or STRICT causes the client to
158 produce a warning at startup and to operate in non-FIPS mode.
159
160 · --tls-ciphersuites=ciphersuite_list The permissible ciphersuites
161 for encrypted connections that use TLSv1.3. The value is a list of
162 one or more colon-separated ciphersuite names. The ciphersuites
163 that can be named for this option depend on the SSL library used to
164 compile MySQL. For details, see Section 6.3.2, “Encrypted
165 Connection TLS Protocols and Ciphers”.
166
167 This option was added in MySQL 8.0.16.
168
169 · --tls-version=protocol_list The permissible TLS protocols for
170 encrypted connections. The value is a list of one or more
171 comma-separated protocol names. The protocols that can be named for
172 this option depend on the SSL library used to compile MySQL. For
173 details, see Section 6.3.2, “Encrypted Connection TLS Protocols and
174 Ciphers”.
175
176 · --use-default Execute noninteractively. This option can be used for
177 unattended installation operations.
178
179 · --user=user_name, -u user_name The user name of the MySQL account
180 to use for connecting to the server.
181
183 Copyright © 1997, 2020, Oracle and/or its affiliates.
184
185 This documentation is free software; you can redistribute it and/or
186 modify it only under the terms of the GNU General Public License as
187 published by the Free Software Foundation; version 2 of the License.
188
189 This documentation is distributed in the hope that it will be useful,
190 but WITHOUT ANY WARRANTY; without even the implied warranty of
191 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
192 General Public License for more details.
193
194 You should have received a copy of the GNU General Public License along
195 with the program; if not, write to the Free Software Foundation, Inc.,
196 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA or see
197 http://www.gnu.org/licenses/.
198
199
201 For more information, please refer to the MySQL Reference Manual, which
202 may already be installed locally and which is also available online at
203 http://dev.mysql.com/doc/.
204
206 Oracle Corporation (http://dev.mysql.com/).
207
208
209
210MySQL 8.0 11/26/2020 MYSQL_SECURE_INSTALLATION(1)