Russell Coker: MySQL security in Debian
Currently there is a problem with the MySQL default install in Debian/Etch (and probably other distributions too). It sets up "root" with dba access with no password by default, the following mysql command will give a list of all MySQL accounts with Grant_priv access (one of the capabilities that gives great access to the database server) and shows their hashed password (as a matter of procedure I truncated the hash for my debian-sys-maint account). As you can see the "root" and "debian-sys-maint" accounts have such access. The debian-sys-maint account is used for Debian package management tools and it's password is stored in the /etc/mysql/debian.cnf file.
It seems likely that most people who have installed MySQL won't realise this problem and will continue to run their machine in that manner, this is a serious issue for multi-user machines. There is currently Debian bug #418672 about this issue. In my tests this issue affects Etch machines as well as machines running Unstable.
$ echo "select Host,User,Password from user where Grant_priv='y'" mysql -u root mysql
Host User Password
localhost root
aeon root
localhost debian-sys-maint *882F90515FCEE65506CBFCD7