Status: Open (View Workflow)
Affects Version/s: None
Fix Version/s: None
Due to historical reasons, a lot of people have learnt that running mysql_secure_installation after installing MySQL is a good routine.
In reality mysql_secure_installation has been useless for years.
- It removes anonymous users – but the default MariaDB installation has none
- It removes the tmp database – but the default MariaDB installation has none
- It sets a root password and writes it into my.cnf – which makes the security posture worse compared to a default MariaDB installation with pure unix socket authentication and now passwords that could leak or be guessed
- It removes remote root access account – but those don't have any access in a default MariaDB installation, and remote root is the only reason one would ever want to have a root password at all, so the script is just silly now
It would be better to remove the whole thing and just replace it with a notice "The command mysql_secure_installation has been deprecated – MariaDB is secure by default and there are no actions that need to be taken after installing MariaDB. This script does not improve the security of MariaDB at all."
Looking at the history of the script nobody has ever stopped to think does it make any sense at all nowadays: https://github.com/MariaDB/server/commits/193bfdd831bbbf65e74acd12baf691d4305e3c11/scripts/mysql_secure_installation.sh
In the past 10 years nobody has done anything to improve the security features, all commits are pure bug fixes. And there is still more bugfixes needed to make it fully work:
Rather than invest time in fixing bugs in a script that is useless, just get rid of the script that is only misleading users and replace it with a notice so users can unlearn from the routine of having to run it.