~drizzle-trunk/drizzle/development : contents of scripts/mysql_secure

~drizzle-trunk/drizzle/development : (revision 1)

#!/bin/sh

# Copyright (C) 2002 MySQL AB and Jeremy Cole
# 
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

config=".my.cnf.$$"
command=".mysql.$$"

trap "interrupt" 2

rootpass=""
echo_n=
echo_c=

set_echo_compat() {
    case `echo "testing\c"`,`echo -n testing` in
	*c*,-n*) echo_n=   echo_c=     ;;
	*c*,*)   echo_n=-n echo_c=     ;;
	*)       echo_n=   echo_c='\c' ;;
    esac
}

prepare() {
    touch $config $command
    chmod 600 $config $command
}

do_query() {
    echo $1 >$command
    mysql --defaults-file=$config <$command
    return $?
}

make_config() {
    echo "# mysql_secure_installation config file" >$config
    echo "[mysql]" >>$config
    echo "user=root" >>$config
    echo "password=$rootpass" >>$config
}

get_root_password() {
    status=1
    while [ $status -eq 1 ]; do
	stty -echo
	echo $echo_n "Enter current password for root (enter for none): $echo_c"
	read password
	echo
	stty echo
	if [ "x$password" = "x" ]; then
	    hadpass=0
	else
	    hadpass=1
	fi
	rootpass=$password
	make_config
	do_query ""
	status=$?
    done
    echo "OK, successfully used password, moving on..."
    echo
}

set_root_password() {
    stty -echo
    echo $echo_n "New password: $echo_c"
    read password1
    echo
    echo $echo_n "Re-enter new password: $echo_c"
    read password2
    echo
    stty echo

    if [ "$password1" != "$password2" ]; then
	echo "Sorry, passwords do not match."
	echo
	return 1
    fi

    if [ "$password1" = "" ]; then
	echo "Sorry, you can't use an empty password here."
	echo
	return 1
    fi

    do_query "UPDATE mysql.user SET Password=PASSWORD('$password1') WHERE User='root';"
    if [ $? -eq 0 ]; then
	echo "Password updated successfully!"
	echo "Reloading privilege tables.."
	if ! reload_privilege_tables; then
	    exit 1
	fi
	echo
	rootpass=$password1
	make_config
    else
	echo "Password update failed!"
	exit 1
    fi

    return 0
}

remove_anonymous_users() {
    do_query "DELETE FROM mysql.user WHERE User='';"
    if [ $? -eq 0 ]; then
	echo " ... Success!"
    else
	echo " ... Failed!"
	exit 1
    fi

    return 0
}

remove_remote_root() {
    do_query "DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';"
    if [ $? -eq 0 ]; then
	echo " ... Success!"
    else
	echo " ... Failed!"
    fi
}

remove_test_database() {
    echo " - Dropping test database..."
    do_query "DROP DATABASE test;"
    if [ $? -eq 0 ]; then
	echo " ... Success!"
    else
	echo " ... Failed!  Not critical, keep moving..."
    fi

    echo " - Removing privileges on test database..."
    do_query "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'"
    if [ $? -eq 0 ]; then
	echo " ... Success!"
    else
	echo " ... Failed!  Not critical, keep moving..."
    fi

    return 0
}

reload_privilege_tables() {
    do_query "FLUSH PRIVILEGES;"
    if [ $? -eq 0 ]; then
	echo " ... Success!"
	return 0
    else
	echo " ... Failed!"
	return 1
    fi
}

interrupt() {
    echo
    echo "Aborting!"
    echo
    cleanup
    stty echo
    exit 1
}

cleanup() {
    echo "Cleaning up..."
    rm -f $config $command
}


# The actual script starts here

prepare
set_echo_compat

echo
echo
echo
echo
echo "NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL"
echo "      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!"
echo
echo

echo "In order to log into MySQL to secure it, we'll need the current"
echo "password for the root user.  If you've just installed MySQL, and"
echo "you haven't set the root password yet, the password will be blank,"
echo "so you should just press enter here."
echo

get_root_password


#
# Set the root password
#

echo "Setting the root password ensures that nobody can log into the MySQL"
echo "root user without the proper authorisation."
echo

if [ $hadpass -eq 0 ]; then
    echo $echo_n "Set root password? [Y/n] $echo_c"
else
    echo "You already have a root password set, so you can safely answer 'n'."
    echo
    echo $echo_n "Change the root password? [Y/n] $echo_c"
fi

read reply
if [ "$reply" = "n" ]; then
    echo " ... skipping."
else
    status=1
    while [ $status -eq 1 ]; do
	set_root_password
	status=$?
    done
fi
echo


#
# Remove anonymous users
#

echo "By default, a MySQL installation has an anonymous user, allowing anyone"
echo "to log into MySQL without having to have a user account created for"
echo "them.  This is intended only for testing, and to make the installation"
echo "go a bit smoother.  You should remove them before moving into a"
echo "production environment."
echo

echo $echo_n "Remove anonymous users? [Y/n] $echo_c"

read reply
if [ "$reply" = "n" ]; then
    echo " ... skipping."
else
    remove_anonymous_users
fi
echo


#
# Disallow remote root login
#

echo "Normally, root should only be allowed to connect from 'localhost'.  This"
echo "ensures that someone cannot guess at the root password from the network."
echo

echo $echo_n "Disallow root login remotely? [Y/n] $echo_c"
read reply
if [ "$reply" = "n" ]; then
    echo " ... skipping."
else
    remove_remote_root
fi
echo


#
# Remove test database
#

echo "By default, MySQL comes with a database named 'test' that anyone can"
echo "access.  This is also intended only for testing, and should be removed"
echo "before moving into a production environment."
echo

echo $echo_n "Remove test database and access to it? [Y/n] $echo_c"
read reply
if [ "$reply" = "n" ]; then
    echo " ... skipping."
else
    remove_test_database
fi
echo


#
# Reload privilege tables
#

echo "Reloading the privilege tables will ensure that all changes made so far"
echo "will take effect immediately."
echo

echo $echo_n "Reload privilege tables now? [Y/n] $echo_c"
read reply
if [ "$reply" = "n" ]; then
    echo " ... skipping."
else
    reload_privilege_tables
fi
echo

cleanup

echo
echo
echo
echo "All done!  If you've completed all of the above steps, your MySQL"
echo "installation should now be secure."
echo
echo "Thanks for using MySQL!"
echo
echo



1 by brian clean slate	1	#!/bin/sh
	2
	3	# Copyright (C) 2002 MySQL AB and Jeremy Cole
	4	#
	5	# This program is free software; you can redistribute it and/or modify
	6	# it under the terms of the GNU General Public License as published by
	7	# the Free Software Foundation; version 2 of the License.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU General Public License
	15	# along with this program; if not, write to the Free Software
	16	# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	17
	18	config=".my.cnf.$$"
	19	command=".mysql.$$"
	20
	21	trap "interrupt" 2
	22
	23	rootpass=""
	24	echo_n=
	25	echo_c=
	26
	27	set_echo_compat() {
	28	case `echo "testing\c"`,`echo -n testing` in
	29	c,-n*) echo_n= echo_c= ;;
	30	c,*) echo_n=-n echo_c= ;;
	31	*) echo_n= echo_c='\c' ;;
	32	esac
	33	}
	34
	35	prepare() {
	36	touch $config $command
	37	chmod 600 $config $command
	38	}
	39
	40	do_query() {
	41	echo $1 >$command
	42	mysql --defaults-file=$config <$command
	43	return $?
	44	}
	45
	46	make_config() {
	47	echo "# mysql_secure_installation config file" >$config
	48	echo "[mysql]" >>$config
	49	echo "user=root" >>$config
	50	echo "password=$rootpass" >>$config
	51	}
	52
	53	get_root_password() {
	54	status=1
	55	while [ $status -eq 1 ]; do
	56	stty -echo
	57	echo $echo_n "Enter current password for root (enter for none): $echo_c"
	58	read password
	59	echo
	60	stty echo
	61	if [ "x$password" = "x" ]; then
	62	hadpass=0
	63	else
	64	hadpass=1
65	fi
66	rootpass=$password
67	make_config
68	do_query ""
69	status=$?
70	done
71	echo "OK, successfully used password, moving on..."
72	echo
73	}
74
75	set_root_password() {
76	stty -echo
77	echo $echo_n "New password: $echo_c"
78	read password1
79	echo
80	echo $echo_n "Re-enter new password: $echo_c"
81	read password2
82	echo
83	stty echo
84
85	if [ "$password1" != "$password2" ]; then
86	echo "Sorry, passwords do not match."
87	echo
88	return 1
89	fi
90
91	if [ "$password1" = "" ]; then
92	echo "Sorry, you can't use an empty password here."
93	echo
94	return 1
95	fi
96
97	do_query "UPDATE mysql.user SET Password=PASSWORD('$password1') WHERE User='root';"
98	if [ $? -eq 0 ]; then
99	echo "Password updated successfully!"
100	echo "Reloading privilege tables.."
101	if ! reload_privilege_tables; then
102	exit 1
103	fi
104	echo
105	rootpass=$password1
106	make_config
107	else
108	echo "Password update failed!"
109	exit 1
110	fi
111
112	return 0
113	}
114
115	remove_anonymous_users() {
116	do_query "DELETE FROM mysql.user WHERE User='';"
117	if [ $? -eq 0 ]; then
118	echo " ... Success!"
119	else
120	echo " ... Failed!"
121	exit 1
122	fi
123
124	return 0
125	}
126
127	remove_remote_root() {
128	do_query "DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';"
129	if [ $? -eq 0 ]; then
130	echo " ... Success!"
131	else
132	echo " ... Failed!"
133	fi
134	}
135
136	remove_test_database() {
137	echo " - Dropping test database..."
138	do_query "DROP DATABASE test;"
139	if [ $? -eq 0 ]; then
140	echo " ... Success!"
141	else
142	echo " ... Failed! Not critical, keep moving..."
143	fi
144
145	echo " - Removing privileges on test database..."
146	do_query "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'"
147	if [ $? -eq 0 ]; then
148	echo " ... Success!"
149	else
150	echo " ... Failed! Not critical, keep moving..."
151	fi
152
153	return 0
154	}
155
156	reload_privilege_tables() {
157	do_query "FLUSH PRIVILEGES;"
158	if [ $? -eq 0 ]; then
159	echo " ... Success!"
160	return 0
161	else
162	echo " ... Failed!"
163	return 1
164	fi
165	}
166
167	interrupt() {
168	echo
169	echo "Aborting!"
170	echo
171	cleanup
172	stty echo
173	exit 1
174	}
175
176	cleanup() {
177	echo "Cleaning up..."
178	rm -f $config $command
179	}
180
181
182	# The actual script starts here
183
184	prepare
185	set_echo_compat
186
187	echo
188	echo
189	echo
190	echo
191	echo "NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL"
192	echo " SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!"
193	echo
194	echo
195
196	echo "In order to log into MySQL to secure it, we'll need the current"
197	echo "password for the root user. If you've just installed MySQL, and"
198	echo "you haven't set the root password yet, the password will be blank,"
199	echo "so you should just press enter here."
200	echo
201
202	get_root_password
203
204
205	#
206	# Set the root password
207	#
208
209	echo "Setting the root password ensures that nobody can log into the MySQL"
210	echo "root user without the proper authorisation."
211	echo
212
213	if [ $hadpass -eq 0 ]; then
214	echo $echo_n "Set root password? [Y/n] $echo_c"
215	else
216	echo "You already have a root password set, so you can safely answer 'n'."
217	echo
218	echo $echo_n "Change the root password? [Y/n] $echo_c"
219	fi
220
221	read reply
222	if [ "$reply" = "n" ]; then
223	echo " ... skipping."
224	else
225	status=1
226	while [ $status -eq 1 ]; do
227	set_root_password
228	status=$?
229	done
230	fi
231	echo
232
233
234	#
235	# Remove anonymous users
236	#
237
238	echo "By default, a MySQL installation has an anonymous user, allowing anyone"
239	echo "to log into MySQL without having to have a user account created for"
240	echo "them. This is intended only for testing, and to make the installation"
241	echo "go a bit smoother. You should remove them before moving into a"
242	echo "production environment."
243	echo
244
245	echo $echo_n "Remove anonymous users? [Y/n] $echo_c"
246
247	read reply
248	if [ "$reply" = "n" ]; then
249	echo " ... skipping."
250	else
251	remove_anonymous_users
252	fi
253	echo
254
255
256	#
257	# Disallow remote root login
258	#
259
260	echo "Normally, root should only be allowed to connect from 'localhost'. This"
261	echo "ensures that someone cannot guess at the root password from the network."
262	echo
263
264	echo $echo_n "Disallow root login remotely? [Y/n] $echo_c"
265	read reply
266	if [ "$reply" = "n" ]; then
267	echo " ... skipping."
268	else
269	remove_remote_root
270	fi
271	echo
272
273
274	#
275	# Remove test database
276	#
277
278	echo "By default, MySQL comes with a database named 'test' that anyone can"
279	echo "access. This is also intended only for testing, and should be removed"
280	echo "before moving into a production environment."
281	echo
282
283	echo $echo_n "Remove test database and access to it? [Y/n] $echo_c"
284	read reply
285	if [ "$reply" = "n" ]; then
286	echo " ... skipping."
287	else
288	remove_test_database
289	fi
290	echo
291
292
293	#
294	# Reload privilege tables
295	#
296
297	echo "Reloading the privilege tables will ensure that all changes made so far"
298	echo "will take effect immediately."
299	echo
300
301	echo $echo_n "Reload privilege tables now? [Y/n] $echo_c"
302	read reply
303	if [ "$reply" = "n" ]; then
304	echo " ... skipping."
305	else
306	reload_privilege_tables
307	fi
308	echo
309
310	cleanup
311
312	echo
313	echo
314	echo
315	echo "All done! If you've completed all of the above steps, your MySQL"
316	echo "installation should now be secure."
317	echo
318	echo "Thanks for using MySQL!"
319	echo
320	echo
321
322