Resetting a forgotten MySQL root password
Posted by Steve on Thu 28 Sep 2006 at 09:12
Resetting the root password of a MySQL database is trivial if you know the current password if you don't it is a little tricker. Thankfully it isn't too difficult to fix, and here we'll show one possible way of doing so.
If you've got access to the root account already, because you know the password, you can change it easily:
steve@steve:~$ mysql --user=root --pass mysql
Enter password:
mysql> update user set Password=PASSWORD('new-password-here') WHERE User='root';
Query OK, 2 rows affected (0.04 sec)
Rows matched: 2 Changed: 2 Warnings: 0
mysql> flush privileges;
Query OK, 0 rows affected (0.02 sec)
mysql> exit
Bye
However if you don't know the current password this approach will not work - you need to login to run any commands and without the password you'll not be able to login!
Thankfully there is a simple solution to this problem, we just need to start MySQL with a flag to tell it to ignore any username/password restrictions which might be in place. Once that is done you can successfully update the stored details.
First of all you will need to ensure that your database is stopped:
root@steve:~# /etc/init.d/mysql stop
Now you should start up the database in the background, via the mysqld_safe command:
root@steve:~# /usr/bin/mysqld_safe --skip-grant-tables & [1] 6702 Starting mysqld daemon with databases from /var/lib/mysql mysqld_safe[6763]: started
Here you can see the new job (number "1") has started and the server is running with the process ID (PID) of 6702.
Now that the server is running with the --skip-grant-tables flag you can connect to it without a password and complete the job:
root@steve:~$ mysql --user=root mysql
Enter password:
mysql> update user set Password=PASSWORD('new-password-here') WHERE User='root';
Query OK, 2 rows affected (0.04 sec)
Rows matched: 2 Changed: 2 Warnings: 0
mysql> flush privileges;
Query OK, 0 rows affected (0.02 sec)
mysql> exit
Bye
Now that you've done that you just need to stop the server, so that you can go back to running a secure MySQL server with password restrictions in place. First of all bring the server you started into the foreground by typing "fg", then kill it by pressing "Ctrl+c" afterwards.
This will now allow you to start the server:
root@steve:~# /etc/init.d/mysql start Starting MySQL database server: mysqld. Checking for corrupt, not cleanly closed and upgrade needing tables..
Now everything should be done and you should have regained access to your MySQL database(s); you should verify this by connecting with your new password:
root@steve:~# mysql --user=root --pass=new-password-here Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 5 to server version: 5.0.24a-Debian_4-log Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> exit Bye
If you'd like to automate this process you could start by looking at this simple shell script which will allow you to reset a password with one command.
Can anyone please tell me what happens if I REMOVE those two passwords from that file? What apps on the system actually use or rely on them?
Thanks!
[ Parent | Reply to this comment ]
The debian.cnf file? Well - its used by the mysql startup scripts as the config file for mysqladmin, its used (AFAIK) by the install scripts of the mysql deb's for upgrades, perhaps others too.
On a properly configured system - the debian.cnf file is root access only. If you're already root then you can restart mysql without the grant tables anyway.
[ Parent | Reply to this comment ]
Worse yet, we find one of the first comments in a visible-to-anyone public discussion on how to change the DBA's password is an open explanation about how to DEFEAT the DBA's password and take control of the database anyway. That's a pristine moment of George Bush-class arrogance and stupidity.
Heck, why don't we just post a ROADMAP for where to find the ultimate database password on billboards at major highway intersections worldwide? In fact, why make it HARD for hackers? Why not print the ultimate password on POSTAGE stamps? After all, our servers are all totally bulletproof and protected, right?
My last webhost exhibited similarly collosal arrogance by storing MySQL's root password in plain text in a file that could easily be opened and read by anyone who had root-level file access to the server. They also had a know-it-all tech on staff who tried feeding me a line of pure-BS one night until I realized what he was doing, called him on it and asked to speak to a senior tech. That tech agreed I was right and resolved my issue in less than a minute.
A few days later that same renegade-tech did a deliberate eggdrop on my server and planted a copy of cgiemail -- a popular open mail relay there. The rest as they say is history. Later, when the databases were attacked and destroyed, the path to that destruction ran straight past that "hidden password" file and into the database itself. Based on the time stamps, the database hacking and installation of cgiemail were done the same night within an hour of one another.
It turned out someone who knew as much about their servers as that renegade tech had used MySQL's root password to insert a new user into the database who had root-level privileges and could login through port 3306 from anywhere in the world.
One night the database was attacked and systematically destroyed. Later I found the muddy footprints of that secret port 3306 user all over the rubble. Need I say more?
Needless to say, the FIRST thing I did during the server rebuild was completely REMOVE that hidden MySQL password from the server. But at that point, the damage had been done.
Fortunately, I'm a 40 year IT pro and had a current backup... Enough said.
[ Parent | Reply to this comment ]
Feel free to raise a bug on the mysql packages :)
[ Parent | Reply to this comment ]
Hmm - missed a line there.
Regards to "Worse yet, we find one of the first comments in a visible-to-anyone public discussion on how to change the DBA's password is an open explanation about how to DEFEAT the DBA's password and take control of the database anyway."
I can't agree. "Security by not talking about it" isn't security to me. This file is on ALL debian systems that use debian's packaged mysql. Hardly unknown and many many machines.
The better the administrators of these systems understand on what is present on their systems and why the better.
If the file should or should not be present is an interesting argument - but - pretending it isn't there isn't going to help.
[ Parent | Reply to this comment ]
john
john.keusch@uaw-gm.org
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
export HISTCONTROL=ignorebothin your .bashrc file. With this set all you need to do to is to start the command with a space in front of it to prevent it from being written to the history file.
[ Parent | Reply to this comment ]
i once forgot the password and whilst i dont remember how i reset it the first time, whatever i did reset ALL user passwords, so the next time i used the debian-maintainer user/password and reset it that way :)
sno
[ Parent | Reply to this comment ]
Cheers,
Jonesy
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Yes it probably would, still for a simple demonstration script it appears to work fairly well.
[ Parent | Reply to this comment ]
Issuing 'mysqladmin shutdown' as root will cleanly shut down the MySQL instance that you have running in the background. Better yet, you'll see the console messages that tell you it's doing this. As written, the instructions don't work with recent (ca. 2010) versions of MySQL as CTRL + C just causes the server to respawn itself.
Hope this helps.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
mysqld --skip-grant-tables
The other steps should remain same (changing password etc). I had mysql 5 installed as a windows service, so I did the following steps:
1. stopped service
2. mysqld --skip-grant-tables
3. changed password using procedure given.
4. restarted service
That was all.
Vivek Deveshwar
[ Parent | Reply to this comment ]
A small addup for this comment.
Some of the mysql versions may not have mysqld.exe you can make use of mysqld-nt.exe
Rest of the procedure is same.
Regards,
Kishore.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Muchas gracias,
Ruby Ortiz
From Colombia
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Thanks!
[ Parent | Reply to this comment ]
# dpkg -l mysql-server* | grep ii
ii mysql-server 5.0.51a-3 MySQL database server (meta package depending on the latest version)
ii mysql-server-5.0 5.0.51a-3 MySQL database server binaries
# dpkg-reconfigure mysql-server-5.0
Stopping MySQL database server: mysqld.
[debconf screen appears]
While not mandatory, it is highly
recommended that you set a password
for the MySQL administrative "root"
user.
If that field is left blank, the
password will not be changed.
New password for the MySQL "root"
user:
_______________________________________
<Ok>
Stopping MySQL database server: mysqld.
Stopping MySQL database server: mysqld.
Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..
...et voilà, it seems :)
[ Parent | Reply to this comment ]
I struggled and fought for hours trying to set the root MYSQL password on my new server and failed repeatedly to make the procedure work. I was very careful to follow the proceudre I was using step-by-step and double- and triple-checked every minute detail; but I still I failed to get the password changed and I've done this BEFORE... It's NOT new to me. The only thing that WAS new to me was doing it on Debian and on MySql5 -- not RH and MySQL 3.23.54
Finally, after at least 2 dozen failures and unable to figure out why, I tossed the procedure I was using in the trash and went looking for a new one. That's when I found this well written tutorial.
Presto! Within 5 minutes I had the new password installed and had change it just to be sure. Hurray!!
Thanks, a lot, Steve. GREAT job.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
However for Debian things get easier. First, become root. Then run:
mysql --defaults-file=/etc/mysql/debian.cnf
Now use the standard command to change the root password. You're logged in with an account with the capacity to change it. This config file is used by Debian's /etc/init.d logic for administrative purposes.
For recent docs from MySQL on fixing the root password, see http://dev.mysql.com/doc/refman/5.1/en/resetting-permissions.html
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
If you don't agree with the policy, join the MySQL Developer community and get it changed.
Or better yet, build MySQL yourself with out the options that allow it to be started in this manner.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Matthew
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message ]
[ Parent | Reply to this comment ]