1MYSQL_SECURE_INSTALLATION(1) MySQL Database SystemMYSQL_SECURE_INSTALLATION(1)
2
3
4

NAME

6       mysql_secure_installation - improve MySQL installation security
7

SYNOPSIS

9       mysql_secure_installation
10

DESCRIPTION

12       This program enables you to improve the security of your MySQL
13       installation in the following ways:
14
15       •   You can set a password for root accounts.
16
17       •   You can remove root accounts that are accessible from outside the
18           local host.
19
20       •   You can remove anonymous-user accounts.
21
22       •   You can remove the test database (which by default can be accessed
23           by all users, even anonymous users), and privileges that permit
24           anyone to access databases with names that start with test_.
25
26       mysql_secure_installation helps you implement security recommendations
27       similar to those described at Section 2.9.4, “Securing the Initial
28       MySQL Account”.
29
30       Normal usage is to connect to the local MySQL server; invoke
31       mysql_secure_installation without arguments:
32
33           mysql_secure_installation
34
35       When executed, mysql_secure_installation prompts you to determine which
36       actions to perform.
37
38       The validate_password component can be used for password strength
39       checking. If the plugin is not installed, mysql_secure_installation
40       prompts the user whether to install it. Any passwords entered later are
41       checked using the plugin if it is enabled.
42
43       Most of the usual MySQL client options such as --host and --port can be
44       used on the command line and in option files. For example, to connect
45       to the local server over IPv6 using port 3307, use this command:
46
47           mysql_secure_installation --host=::1 --port=3307
48
49       mysql_secure_installation supports the following options, which can be
50       specified on the command line or in the [mysql_secure_installation] and
51       [client] groups of an option file. For information about option files
52       used by MySQL programs, see Section 4.2.2.2, “Using Option Files”.
53
54       •   --help, -?  Display a help message and exit.
55
56       •   --defaults-extra-file=file_name Read this option file after the
57           global option file but (on Unix) before the user option file. If
58           the file does not exist or is otherwise inaccessible, an error
59           occurs. If file_name is not an absolute path name, it is
60           interpreted relative to the current directory.
61
62           For additional information about this and other option-file
63           options, see Section 4.2.2.3, “Command-Line Options that Affect
64           Option-File Handling”.
65
66       •   --defaults-file=file_name Use only the given option file. If the
67           file does not exist or is otherwise inaccessible, an error occurs.
68           If file_name is not an absolute path name, it is interpreted
69           relative to the current directory.
70
71           For additional information about this and other option-file
72           options, see Section 4.2.2.3, “Command-Line Options that Affect
73           Option-File Handling”.
74
75       •   --defaults-group-suffix=str Read not only the usual option groups,
76           but also groups with the usual names and a suffix of str. For
77           example, mysql_secure_installation normally reads the [client] and
78           [mysql_secure_installation] groups. If this option is given as
79           --defaults-group-suffix=_other, mysql_secure_installation also
80           reads the [client_other] and [mysql_secure_installation_other]
81           groups.
82
83           For additional information about this and other option-file
84           options, see Section 4.2.2.3, “Command-Line Options that Affect
85           Option-File Handling”.
86
87       •   --host=host_name, -h host_name Connect to the MySQL server on the
88           given host.
89
90       •   --no-defaults Do not read any option files. If program startup
91           fails due to reading unknown options from an option file,
92           --no-defaults can be used to prevent them from being read.
93
94           The exception is that the .mylogin.cnf file is read in all cases,
95           if it exists. This permits passwords to be specified in a safer way
96           than on the command line even when --no-defaults is used. To create
97           .mylogin.cnf, use the mysql_config_editor utility. See
98           mysql_config_editor(1).
99
100           For additional information about this and other option-file
101           options, see Section 4.2.2.3, “Command-Line Options that Affect
102           Option-File Handling”.
103
104       •   --password=password, -p password This option is accepted but
105           ignored. Whether or not this option is used,
106           mysql_secure_installation always prompts the user for a password.
107
108       •   --port=port_num, -P port_num For TCP/IP connections, the port
109           number to use.
110
111       •   --print-defaults Print the program name and all options that it
112           gets from option files.
113
114           For additional information about this and other option-file
115           options, see Section 4.2.2.3, “Command-Line Options that Affect
116           Option-File Handling”.
117
118       •   --protocol={TCP|SOCKET|PIPE|MEMORY} The transport protocol to use
119           for connecting to the server. It is useful when the other
120           connection parameters normally result in use of a protocol other
121           than the one you want. For details on the permissible values, see
122           Section 4.2.7, “Connection Transport Protocols”.
123
124       •   --socket=path, -S path For connections to localhost, the Unix
125           socket file to use, or, on Windows, the name of the named pipe to
126           use.
127
128           On Windows, this option applies only if the server was started with
129           the named_pipe system variable enabled to support named-pipe
130           connections. In addition, the connection must be a member of the
131           Windows group specified by the named_pipe_full_access_group system
132           variable.
133
134       •   --ssl* Options that begin with --ssl specify whether to connect to
135           the server using encryption and indicate where to find SSL keys and
136           certificates. See the section called “Command Options for Encrypted
137           Connections”.
138
139       •   --ssl-fips-mode={OFF|ON|STRICT} Controls whether to enable FIPS
140           mode on the client side. The --ssl-fips-mode option differs from
141           other --ssl-xxx options in that it is not used to establish
142           encrypted connections, but rather to affect which cryptographic
143           operations to permit. See Section 6.8, “FIPS Support”.
144
145           These --ssl-fips-mode values are permitted:
146
147           •   OFF: Disable FIPS mode.
148
149           •   ON: Enable FIPS mode.
150
151           •   STRICT: Enable “strict” FIPS mode.
152
153
154               Note
155               If the OpenSSL FIPS Object Module is not available, the only
156               permitted value for --ssl-fips-mode is OFF. In this case,
157               setting --ssl-fips-mode to ON or STRICT causes the client to
158               produce a warning at startup and to operate in non-FIPS mode.
159           As of MySQL 8.0.34, this option is deprecated. Expect it to be
160           removed in a future version of MySQL.
161
162       •   --tls-ciphersuites=ciphersuite_list The permissible ciphersuites
163           for encrypted connections that use TLSv1.3. The value is a list of
164           one or more colon-separated ciphersuite names. The ciphersuites
165           that can be named for this option depend on the SSL library used to
166           compile MySQL. For details, see Section 6.3.2, “Encrypted
167           Connection TLS Protocols and Ciphers”.
168
169           This option was added in MySQL 8.0.16.
170
171       •   --tls-version=protocol_list The permissible TLS protocols for
172           encrypted connections. The value is a list of one or more
173           comma-separated protocol names. The protocols that can be named for
174           this option depend on the SSL library used to compile MySQL. For
175           details, see Section 6.3.2, “Encrypted Connection TLS Protocols and
176           Ciphers”.
177
178       •   --use-default Execute noninteractively. This option can be used for
179           unattended installation operations.
180
181       •   --user=user_name, -u user_name The user name of the MySQL account
182           to use for connecting to the server.
183

COPYRIGHT

185       Copyright © 1997, 2023, Oracle and/or its affiliates.
186
187       This documentation is free software; you can redistribute it and/or
188       modify it only under the terms of the GNU General Public License as
189       published by the Free Software Foundation; version 2 of the License.
190
191       This documentation is distributed in the hope that it will be useful,
192       but WITHOUT ANY WARRANTY; without even the implied warranty of
193       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
194       General Public License for more details.
195
196       You should have received a copy of the GNU General Public License along
197       with the program; if not, write to the Free Software Foundation, Inc.,
198       51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA or see
199       http://www.gnu.org/licenses/.
200
201

SEE ALSO

203       For more information, please refer to the MySQL Reference Manual, which
204       may already be installed locally and which is also available online at
205       http://dev.mysql.com/doc/.
206

AUTHOR

208       Oracle Corporation (http://dev.mysql.com/).
209
210
211
212MySQL 8.0                         08/31/2023      MYSQL_SECURE_INSTALLATION(1)