Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help

       mysql_secure_installation - improve MySQL installation security


       This program enables you	to improve the security	of your	MySQL
       installation in the following ways:

       o   You can set a password for root accounts.

       o   You can remove root accounts	that are accessible from outside the
	   local host.

       o   You can remove anonymous-user accounts.

       o   You can remove the test database (which by default can be accessed
	   by all users, even anonymous	users),	and privileges that permit
	   anyone to access databases with names that start with test_.

       mysql_secure_installation helps you implement security recommendations
       similar to those	described at Section 2.10.4, "Securing the Initial
       MySQL Accounts".

       As of MySQL 5.7.2, mysql_secure_installation is an executable binary
       available on all	platforms. Before 5.7.2, it was	a script available for
       Unix and	Unix-like systems.

       Normal usage is to connect to the local MySQL server; invoke
       mysql_secure_installation without arguments:

	   shell> mysql_secure_installation

       When executed, mysql_secure_installation	prompts	you to determine which
       actions to perform.

       As of MySQL 5.7.2, mysql_secure_installation supports these additional

       o   The validate_password plugin	can be used for	password strength
	   checking. If	the plugin is not installed, mysql_secure_installation
	   prompts the user whether to install it. Any passwords entered later
	   are checked using the plugin	if it is enabled.

       o   Most	of the usual MySQL client options such as --host and --port
	   can be used on the command line and in option files.	For example,
	   to connect to the local server over IPv6 using port 3307, use this

	       shell> mysql_secure_installation	--host=::1 --port=3307

       mysql_secure_installation supports the following	options, which can be
       specified on the	command	line or	in the [mysql_secure_installation] and
       [client]	groups of an option file. For information about	option files
       used by MySQL programs, see Section 5.2.6, "Using Option	Files".

       o   --help, -?

	   Display a help message and exit.

       o   --defaults-extra-file=file_name

	   Read	this option file after the global option file but (on Unix)
	   before the user option file.	If the file does not exist or is
	   otherwise inaccessible, an error occurs.  file_name is interpreted
	   relative to the current directory if	given as a relative path name
	   rather than a full path name.

       o   --defaults-file=file_name

	   Use only the	given option file. If the file does not	exist or is
	   otherwise inaccessible, an error occurs.  file_name is interpreted
	   relative to the current directory if	given as a relative path name
	   rather than a full path name.

       o   --defaults-group-suffix=str

	   Read	not only the usual option groups, but also groups with the
	   usual names and a suffix of str. For	example,
	   mysql_secure_installation normally reads the	[client] and
	   [mysql_secure_installation] groups. If the
	   --defaults-group-suffix=_other option is given,
	   mysql_secure_installation also reads	the [client_other] and
	   [mysql_secure_installation_other] groups.

       o   --host=host_name, -h	host_name

	   Connect to the MySQL	server on the given host.

       o   --no-defaults

	   Do not read any option files. If program startup fails due to
	   reading unknown options from	an option file,	--no-defaults can be
	   used	to prevent them	from being read.

	   The exception is that the .mylogin.cnf file,	if it exists, is read
	   in all cases. This permits passwords	to be specified	in a safer way
	   than	on the command line even when --no-defaults is used.
	   (.mylogin.cnf is created by the mysql_config_editor utility.	See

       o   --password=password,	-p password

	   This	option is accepted but ignored.	Whether	or not this option is
	   used, mysql_secure_installation always prompts the user for a

       o   --port=port_num, -P port_num

	   The TCP/IP port number to use for the connection.

       o   --print-defaults

	   Print the program name and all options that it gets from option

       o   --protocol={TCP|SOCKET|PIPE|MEMORY}

	   The connection protocol to use for connecting to the	server.	It is
	   useful when the other connection parameters normally	would cause a
	   protocol to be used other than the one you want. For	details	on the
	   permissible values, see Section 5.2.2, "Connecting to the MySQL

       o   --socket=path, -S path

	   For connections to localhost, the Unix socket file to use, or, on
	   Windows, the	name of	the named pipe to use.

       o   --ssl*

	   Options that	begin with --ssl specify whether to connect to the
	   server using	SSL and	indicate where to find SSL keys	and
	   certificates. See Section 7.4.5, "Command Options for Secure

       o   --tls-version=protocol_list

	   The protocols permitted by the client for encrypted connections.
	   The value is	a comma-separated list containing one or more protocol
	   names. The protocols	that can be named for this option depend on
	   the SSL library used	to compile MySQL. For details, see
	   Section 7.4.3, "Secure Connection Protocols and Ciphers".

	   This	option was added in MySQL 5.7.10.

       o   --use-default

	   Execute noninteractively. This option can be	used for unattended
	   installation	operations. This option	was added in MySQL 5.7.4.

       o   --user=user_name, -u	user_name

	   The MySQL user name to use when connecting to the server.

       Copyright (C) 1997, 2016, Oracle	and/or its affiliates. All rights

       This documentation is free software; you	can redistribute it and/or
       modify it only under the	terms of the GNU General Public	License	as
       published by the	Free Software Foundation; version 2 of the License.

       This documentation is distributed in the	hope that it will be useful,
       but WITHOUT ANY WARRANTY; without even the implied warranty of
       General Public License for more details.

       You should have received	a copy of the GNU General Public License along
       with the	program; if not, write to the Free Software Foundation,	Inc.,
       51 Franklin Street, Fifth Floor,	Boston,	MA 02110-1301 USA or see

       For more	information, please refer to the MySQL Reference Manual, which
       may already be installed	locally	and which is also available online at

       Oracle Corporation (

MySQL 5.7			  09/28/2016		  MYSQL_SECURE_INST(1)


Want to link to this manual page? Use this URL:

home | help