Is it normal that one can access MySQL as root without entering password, although password is set?
Ubuntu's MySQL packages (which are based on Debian's) use by default the auth_socket
plugin. With this plugin when connecting from the local machine no password is required, but the server identifies the operating system user and matches that user. So if you are root on the system and login you become root. This avoids having to setup a MySQL root password first.
See also https://wiki.debian.org/MySql
You should run SHOW GRANTS FOR 'root'@'localhost';
If it shows this line in the results:
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION
and not this line:
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD '*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' WITH GRANT OPTION
that means the root user is automatically authenticated by the unix socket credential. If you don't want this, you can issue a manual GRANT command (don't shoot yourself in the foot doing this) that will override the previous, eg:
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY 'mysecurepassword' WITH GRANT OPTION;
Now mysql will ask a password, but can be used by any user able to access the unix socket (so by default just using mysql -u root -p
without being root but of course knowing the password). You have to ponder which one is more secure.
I don't know why the mysql_secure_installation
doesn't explain about this.