How to access MySQL or MariaDB as root without using sudo

Password-based access to the MySQL or MariaDB root account can be required for local automation, non-interactive tooling, or admin workflows where privilege elevation via sudo is unavailable or undesirable.

Many Linux installations configure the database root account to authenticate through a local Unix socket plugin (commonly auth_socket on MySQL packages and unix_socket on MariaDB packages). This maps database authentication to the operating system user, so administrative database access typically depends on being the system root user (often via sudo).

Switching the database root account to password authentication enables mysql -u root -p from a regular shell session, but it also removes the “socket-only” safety barrier. Keep 'root'@'localhost' as the only root account entry, use a strong password, and avoid embedding credentials directly in scripts.

Steps to access MySQL or MariaDB root without sudo:

Open a terminal session with sudo access.

Socket-based authentication usually requires initial access as the system root user.
Start the MySQL or MariaDB client as the system root user.
```
$ sudo mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
mysql>
```
If mysql is unavailable but mariadb exists, use sudo mariadb.

List the authentication plugin configured for the database root account.

mysql> SELECT user, host, plugin FROM mysql.user WHERE user = 'root';
+------+-----------+-------------+
| user | host      | plugin      |
+------+-----------+-------------+
| root | localhost | auth_socket |
+------+-----------+-------------+

MariaDB commonly shows unix_socket instead of auth_socket.

Set a new password for 'root'@'localhost' to enable login without sudo.
```
mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'NewStrongPasswordHere';
Query OK, 0 rows affected (0.00 sec)
```
Enabling password authentication for root increases risk from password guessing and credential leakage; keep root local-only and avoid storing the password in plaintext.

Re-check the root authentication plugin to confirm socket auth is no longer in use.

mysql> SELECT user, host, plugin FROM mysql.user WHERE user = 'root';
+------+-----------+-----------------------+
| user | host      | plugin                |
+------+-----------+-----------------------+
| root | localhost | caching_sha2_password |
+------+-----------+-----------------------+

MariaDB typically shows mysql_native_password after the change.

Exit the database shell.
```
mysql> exit
Bye
```
Log in as root without using sudo.
```
$ mysql -u root -p
Enter password:
mysql>
```
If login fails with Access denied, re-check the plugin value for 'root'@'localhost' using sudo access.

Verify the session is authenticated as root.

mysql> SELECT USER(), CURRENT_USER();
+----------------+----------------+
| USER()         | CURRENT_USER() |
+----------------+----------------+
| root@localhost | root@localhost |
+----------------+----------------+

Confirm no remote-host root accounts exist.

mysql> SELECT user, host, plugin FROM mysql.user WHERE user = 'root';
+------+-----------+-----------------------+
| user | host      | plugin                |
+------+-----------+-----------------------+
| root | localhost | caching_sha2_password |
+------+-----------+-----------------------+

If any root entry exists for a non-local host (for example '%' or an IP address), remove or lock it during a controlled maintenance window.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.