Security of MySQL default password in Docker

Question

Currently I'm playing a little with MySQL within Docker and was asking myself how to handle the (root) password. The container will not be reachable from the outside (no port forwarding to host) but just from within the Docker network (Docker Compose).

From my current perspective I can just use a default/simple password as the mysql server won't be accessible except from within Docker and anybody having access to Docker is root (at least root-like) anyway (therefore having access to the database anyway e.g. by accessing the files directly). Is this right or am I missing something?

Answer 1

I wouldn't rely on it! For example if you at some later point had a webserver installed using it to provide an application like e. g. phpMyAdmin, it would be easy to attack your db.

In most cases the attack vector is not the service itself but other applications using it, and thus exposing the service, phpMyAdmin being a very good example imo. Another example would be SQL injections, and if an attacker should gain access to your MySQL root account he would have access to your filesystem. In regard to this I would recommend you to have a look at the MySQL Security Guidelines. Thus you should always use a secure password, particularly for users having GRANT, FILE or PROCESS privileges.

Should you have a Debian or other Debian based OS installed, you can easily access the database on the shell by using the debian-sys-maint user like this:

# mysql --defaults-file=/etc/mysql/debian.cnf

which gives you root access without being prompted for a password.

I hope this helps, keep it secure!