Creating MySQL database and user without password Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election Results Why I closed the “Why is Kali so hard” questionHow to grant a “no-root-user” rights to start/stop/restart mysql server on suse machine?Force pubkey-auth user to set password at first loginHow to set Linux to ask for authentication when running potentially dangerous commands?Running SQL call as root user in init.d script?Export mysql to remote server using one SSH sessionSilent MySQL Server installationProblems with MySQL 5.7 and reset root password when use mysql_config_editorUser can't change password using passwd (pam config)Cannot connect to MySql using PHP on LinuxPreventing any external mysql login tries
What would you call this weird metallic apparatus that allows you to lift people?
What order were files/directories outputted in dir?
Why does it sometimes sound good to play a grace note as a lead in to a note in a melody?
How do I find out the mythology and history of my Fortress?
Is it fair for a professor to grade us on the possession of past papers?
Amount of permutations on an NxNxN Rubik's Cube
Would it be easier to apply for a UK visa if there is a host family to sponsor for you in going there?
Why is it faster to reheat something than it is to cook it?
Is this another way of expressing the side limit?
How to draw/optimize this graph with tikz
How come Sam didn't become Lord of Horn Hill?
How does light 'choose' between wave and particle behaviour?
Selecting user stories during sprint planning
Hangman Game with C++
Is it possible for SQL statements to execute concurrently within a single session in SQL Server?
Would it be possible to dictate a bech32 address as a list of English words?
How were pictures turned from film to a big picture in a picture frame before digital scanning?
Do I really need to have a message in a novel to appeal to readers?
How to get all distinct words within a set of lines?
Why are vacuum tubes still used in amateur radios?
Should I use a zero-interest credit card for a large one-time purchase?
Strange behavior of Object.defineProperty() in JavaScript
Generate an RGB colour grid
Is grep documentation about ignoring case wrong, since it doesn't ignore case in filenames?
Creating MySQL database and user without password
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 00:00UTC (8:00pm US/Eastern)
2019 Community Moderator Election Results
Why I closed the “Why is Kali so hard” questionHow to grant a “no-root-user” rights to start/stop/restart mysql server on suse machine?Force pubkey-auth user to set password at first loginHow to set Linux to ask for authentication when running potentially dangerous commands?Running SQL call as root user in init.d script?Export mysql to remote server using one SSH sessionSilent MySQL Server installationProblems with MySQL 5.7 and reset root password when use mysql_config_editorUser can't change password using passwd (pam config)Cannot connect to MySql using PHP on LinuxPreventing any external mysql login tries
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I am building a set of bash scripts which basically prepare apache virtual hosts, git repositories and other stuff on a cloud server. So far so good, everything is working, but a big problem occurred: MySQL database and users creation.
The current scripts use ssh with keys to authenticate to the cloud server and everyone from my team can execute commands. I want to keep it this way and somehow let them create new MySQL database and user without needing to login to mysql as root or any other user with high privileges, but I don't have any solution for this.
Idea #1 is to create a new mysql user without password and give it full rights (like root) but make it usable only @'localhost'.
Idea #2 is to store the password for this MySQL control user in a file and make it accessible only to the current ssh user which the other scripts use. Then the mysql login will use this stored password to login and create the database and user.
I don't know which option is better and I know they are dangerous. I ask for opinion and any better ideas.
bash shell-script mysql authentication key-authentication
asked May 10 '14 at 14:11
Ivan DokovIvan Dokov
14810
add a comment |
I am building a set of bash scripts which basically prepare apache virtual hosts, git repositories and other stuff on a cloud server. So far so good, everything is working, but a big problem occurred: MySQL database and users creation.
The current scripts use ssh with keys to authenticate to the cloud server and everyone from my team can execute commands. I want to keep it this way and somehow let them create new MySQL database and user without needing to login to mysql as root or any other user with high privileges, but I don't have any solution for this.
Idea #1 is to create a new mysql user without password and give it full rights (like root) but make it usable only @'localhost'.
Idea #2 is to store the password for this MySQL control user in a file and make it accessible only to the current ssh user which the other scripts use. Then the mysql login will use this stored password to login and create the database and user.
I don't know which option is better and I know they are dangerous. I ask for opinion and any better ideas.
bash shell-script mysql authentication key-authentication
asked May 10 '14 at 14:11
Ivan DokovIvan Dokov
14810
dragly.org/2012/03/19/…
– Creek
May 10 '14 at 16:41
As an update to an old question, mysql/mariadb now support unix socket authentication. if connecting via socket and not tcp/ip, the local user name is trusted if it matches the logged in user running the command.
– ivanivan
Dec 10 '18 at 2:53
add a comment |
I am building a set of bash scripts which basically prepare apache virtual hosts, git repositories and other stuff on a cloud server. So far so good, everything is working, but a big problem occurred: MySQL database and users creation.
The current scripts use ssh with keys to authenticate to the cloud server and everyone from my team can execute commands. I want to keep it this way and somehow let them create new MySQL database and user without needing to login to mysql as root or any other user with high privileges, but I don't have any solution for this.
Idea #1 is to create a new mysql user without password and give it full rights (like root) but make it usable only @'localhost'.
Idea #2 is to store the password for this MySQL control user in a file and make it accessible only to the current ssh user which the other scripts use. Then the mysql login will use this stored password to login and create the database and user.
I don't know which option is better and I know they are dangerous. I ask for opinion and any better ideas.
bash shell-script mysql authentication key-authentication
asked May 10 '14 at 14:11
Ivan DokovIvan Dokov
14810
I am building a set of bash scripts which basically prepare apache virtual hosts, git repositories and other stuff on a cloud server. So far so good, everything is working, but a big problem occurred: MySQL database and users creation.
The current scripts use ssh with keys to authenticate to the cloud server and everyone from my team can execute commands. I want to keep it this way and somehow let them create new MySQL database and user without needing to login to mysql as root or any other user with high privileges, but I don't have any solution for this.
Idea #1 is to create a new mysql user without password and give it full rights (like root) but make it usable only @'localhost'.
Idea #2 is to store the password for this MySQL control user in a file and make it accessible only to the current ssh user which the other scripts use. Then the mysql login will use this stored password to login and create the database and user.
I don't know which option is better and I know they are dangerous. I ask for opinion and any better ideas.
bash shell-script mysql authentication key-authentication
bash shell-script mysql authentication key-authentication
asked May 10 '14 at 14:11
Ivan DokovIvan Dokov
14810
asked May 10 '14 at 14:11
Ivan DokovIvan Dokov
14810
edited May 10 '14 at 14:16
Ivan Dokov
asked May 10 '14 at 14:11
Ivan DokovIvan Dokov
14810
asked May 10 '14 at 14:11
Ivan DokovIvan Dokov
14810
asked May 10 '14 at 14:11
Ivan DokovIvan Dokov
14810
14810
dragly.org/2012/03/19/…
– Creek
May 10 '14 at 16:41
As an update to an old question, mysql/mariadb now support unix socket authentication. if connecting via socket and not tcp/ip, the local user name is trusted if it matches the logged in user running the command.
– ivanivan
Dec 10 '18 at 2:53
add a comment |
dragly.org/2012/03/19/…
– Creek
May 10 '14 at 16:41
As an update to an old question, mysql/mariadb now support unix socket authentication. if connecting via socket and not tcp/ip, the local user name is trusted if it matches the logged in user running the command.
– ivanivan
Dec 10 '18 at 2:53
dragly.org/2012/03/19/…
– Creek
May 10 '14 at 16:41
dragly.org/2012/03/19/…
– Creek
May 10 '14 at 16:41
As an update to an old question, mysql/mariadb now support unix socket authentication. if connecting via socket and not tcp/ip, the local user name is trusted if it matches the logged in user running the command.
– ivanivan
Dec 10 '18 at 2:53
As an update to an old question, mysql/mariadb now support unix socket authentication. if connecting via socket and not tcp/ip, the local user name is trusted if it matches the logged in user running the command.
– ivanivan
Dec 10 '18 at 2:53
add a comment |
1 Answer
1
active
oldest
votes
You want to make the unix user and mysql user that your team use have the least access privileges possible while still allowing them to do what you want. It seems like both your ideas allow more access privileges than necessary. Better for the team mysql user to:
- only have CREATE access or just whatever access they need (restricts what your team can do to the minimum). You give a mysql user access using the GRANT statement.
- store user/password in
~/my.cnffile with only owner read access (doesn't restrict your team any more, but keeps others from seeing the login if they get to see the script).
The above is easy to do and a big improvement.
A better idea, but more work, would be to not allow the team user access to create databases but just to place a requests to set up sites in some queue, which another user script that only you control (and which only has the access it needs to) would process regularly to set up the sites. The queue could be a file with each line a request, a directory with each file a request or a database table with each record a request. It depends on how much you want to secure your system.
In general you should be using unix and mysql users that don't have as much access as root. I create a working mysql user for myself that can create and delete databases and do only the operations I regularly use. I only use root or a user with similar privileges if I need to set up another user to grant it access privileges. In a script I make the user as restricted as possible to limit the damage if it goes awry.
answered May 12 '14 at 7:32
jamtinjamtin
733
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f128789%2fcreating-mysql-database-and-user-without-password%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You want to make the unix user and mysql user that your team use have the least access privileges possible while still allowing them to do what you want. It seems like both your ideas allow more access privileges than necessary. Better for the team mysql user to:
- only have CREATE access or just whatever access they need (restricts what your team can do to the minimum). You give a mysql user access using the GRANT statement.
- store user/password in
~/my.cnffile with only owner read access (doesn't restrict your team any more, but keeps others from seeing the login if they get to see the script).
The above is easy to do and a big improvement.
A better idea, but more work, would be to not allow the team user access to create databases but just to place a requests to set up sites in some queue, which another user script that only you control (and which only has the access it needs to) would process regularly to set up the sites. The queue could be a file with each line a request, a directory with each file a request or a database table with each record a request. It depends on how much you want to secure your system.
In general you should be using unix and mysql users that don't have as much access as root. I create a working mysql user for myself that can create and delete databases and do only the operations I regularly use. I only use root or a user with similar privileges if I need to set up another user to grant it access privileges. In a script I make the user as restricted as possible to limit the damage if it goes awry.
answered May 12 '14 at 7:32
jamtinjamtin
733
add a comment |
You want to make the unix user and mysql user that your team use have the least access privileges possible while still allowing them to do what you want. It seems like both your ideas allow more access privileges than necessary. Better for the team mysql user to:
- only have CREATE access or just whatever access they need (restricts what your team can do to the minimum). You give a mysql user access using the GRANT statement.
- store user/password in
~/my.cnffile with only owner read access (doesn't restrict your team any more, but keeps others from seeing the login if they get to see the script).
The above is easy to do and a big improvement.
A better idea, but more work, would be to not allow the team user access to create databases but just to place a requests to set up sites in some queue, which another user script that only you control (and which only has the access it needs to) would process regularly to set up the sites. The queue could be a file with each line a request, a directory with each file a request or a database table with each record a request. It depends on how much you want to secure your system.
In general you should be using unix and mysql users that don't have as much access as root. I create a working mysql user for myself that can create and delete databases and do only the operations I regularly use. I only use root or a user with similar privileges if I need to set up another user to grant it access privileges. In a script I make the user as restricted as possible to limit the damage if it goes awry.
answered May 12 '14 at 7:32
jamtinjamtin
733
add a comment |
You want to make the unix user and mysql user that your team use have the least access privileges possible while still allowing them to do what you want. It seems like both your ideas allow more access privileges than necessary. Better for the team mysql user to:
- only have CREATE access or just whatever access they need (restricts what your team can do to the minimum). You give a mysql user access using the GRANT statement.
- store user/password in
~/my.cnffile with only owner read access (doesn't restrict your team any more, but keeps others from seeing the login if they get to see the script).
The above is easy to do and a big improvement.
A better idea, but more work, would be to not allow the team user access to create databases but just to place a requests to set up sites in some queue, which another user script that only you control (and which only has the access it needs to) would process regularly to set up the sites. The queue could be a file with each line a request, a directory with each file a request or a database table with each record a request. It depends on how much you want to secure your system.
In general you should be using unix and mysql users that don't have as much access as root. I create a working mysql user for myself that can create and delete databases and do only the operations I regularly use. I only use root or a user with similar privileges if I need to set up another user to grant it access privileges. In a script I make the user as restricted as possible to limit the damage if it goes awry.
answered May 12 '14 at 7:32
jamtinjamtin
733
You want to make the unix user and mysql user that your team use have the least access privileges possible while still allowing them to do what you want. It seems like both your ideas allow more access privileges than necessary. Better for the team mysql user to:
- only have CREATE access or just whatever access they need (restricts what your team can do to the minimum). You give a mysql user access using the GRANT statement.
- store user/password in
~/my.cnffile with only owner read access (doesn't restrict your team any more, but keeps others from seeing the login if they get to see the script).
The above is easy to do and a big improvement.
A better idea, but more work, would be to not allow the team user access to create databases but just to place a requests to set up sites in some queue, which another user script that only you control (and which only has the access it needs to) would process regularly to set up the sites. The queue could be a file with each line a request, a directory with each file a request or a database table with each record a request. It depends on how much you want to secure your system.
In general you should be using unix and mysql users that don't have as much access as root. I create a working mysql user for myself that can create and delete databases and do only the operations I regularly use. I only use root or a user with similar privileges if I need to set up another user to grant it access privileges. In a script I make the user as restricted as possible to limit the damage if it goes awry.
answered May 12 '14 at 7:32
jamtinjamtin
733
answered May 12 '14 at 7:32
jamtinjamtin
733
answered May 12 '14 at 7:32
jamtinjamtin
733
answered May 12 '14 at 7:32
jamtinjamtin
733
733
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f128789%2fcreating-mysql-database-and-user-without-password%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
dragly.org/2012/03/19/…
– Creek
May 10 '14 at 16:41
As an update to an old question, mysql/mariadb now support unix socket authentication. if connecting via socket and not tcp/ip, the local user name is trusted if it matches the logged in user running the command.
– ivanivan
Dec 10 '18 at 2:53