I was wondering, why this is possible. sudo mysql logs me in as root@localhost. I consider this as a security risk, because if one makes that on my server this simple order opens MySQL to him.
On another machine I was following the steps outlined here https://www.digitalocean.com/community/tutorials/how-to-install-mysql-on-ubuntu-20-04 instead of using this ansible setup, especially those in the red box, which define the preparations necessary to be run before sudo mysql_secure_installation. There it is not possible to just simply sudo mysql. It turns out, that the couple of initial actions make sure that this is not possible:
Would it be possible to achieve the same degree of security with the ansible script?
Of course, on both machines sudo mysql -p and then providing the root password is possible, but one need to know it.
I might be missing something, maybe the root password is stored anyway somewhere on the machine, but I would feel better, if sudo mysql wouldn't be possible just so.
EDIT: At least /var/log/syslog holds the root password after installation, nice...
Feb 14 13:54:19 ca python3[22583]: ansible-ansible.legacy.command Invoked with _raw_params=mysql -u root -NBe "ALTER USER 'root'@'localhost'#012 IDENTIFIED WITH mysql_native_password BY '****'; FLUSH PRIVILEGES;"#012 _uses_shell=True expand_argument_vars=True stdin_add_newline=True strip_empty_
EDIT2: But at least the sudo password must be provided once... Maybe I'm too paranoid...
I was wondering, why this is possible.
sudo mysql
logs me in asroot@localhost
. I consider this as a security risk, because if one makes that on my server this simple order opens MySQL to him.On another machine I was following the steps outlined here https://www.digitalocean.com/community/tutorials/how-to-install-mysql-on-ubuntu-20-04 instead of using this ansible setup, especially those in the red box, which define the preparations necessary to be run before
sudo mysql_secure_installation
. There it is not possible to just simplysudo mysql
. It turns out, that the couple of initial actions make sure that this is not possible:Would it be possible to achieve the same degree of security with the ansible script?
Of course, on both machines
sudo mysql -p
and then providing the root password is possible, but one need to know it.I might be missing something, maybe the root password is stored anyway somewhere on the machine, but I would feel better, if
sudo mysql
wouldn't be possible just so.EDIT: At least
/var/log/syslog
holds the root password after installation, nice...Feb 14 13:54:19 ca python3[22583]: ansible-ansible.legacy.command Invoked with _raw_params=mysql -u root -NBe "ALTER USER 'root'@'localhost'#012 IDENTIFIED WITH mysql_native_password BY '****'; FLUSH PRIVILEGES;"#012 _uses_shell=True expand_argument_vars=True stdin_add_newline=True strip_empty_
EDIT2: But at least the sudo password must be provided once... Maybe I'm too paranoid...