diff options
Diffstat (limited to 'netware/mysql_secure_installation.pl')
-rw-r--r-- | netware/mysql_secure_installation.pl | 219 |
1 files changed, 219 insertions, 0 deletions
diff --git a/netware/mysql_secure_installation.pl b/netware/mysql_secure_installation.pl new file mode 100644 index 00000000000..e363cacbc0d --- /dev/null +++ b/netware/mysql_secure_installation.pl @@ -0,0 +1,219 @@ +#----------------------------------------------------------------------------- +# Copyright (C) 2002 MySQL AB and Jeremy Cole +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +#----------------------------------------------------------------------------- + +#----------------------------------------------------------------------------- +# This notice applies to changes, created by or for Novell, Inc., +# to preexisting works for which notices appear elsewhere in this file. + +# Copyright (c) 2003 Novell, Inc. All Rights Reserved. + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +#----------------------------------------------------------------------------- + +use strict; +use Mysql; + +print "MySQL Secure Installation Script\n\n"; + +print "NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL\n"; +print " SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!\n\n"; + +#----------------------------------------------------------------------------- +# get the current root password +#----------------------------------------------------------------------------- + +print "In order to log into MySQL to secure it, we'll need the current\n"; +print "password for the root user. If you've just installed MySQL, and\n"; +print "you haven't set the root password yet, the password will be blank,\n"; +print "so you should just press enter here.\n\n"; + +print "Enter the current password for root: "; +my $password = <STDIN>; +chomp $password; +print "\n"; + +my $conn = Mysql->connect("localhost", "mysql", "root", $password) + || die "Unable to connect to MySQL."; + +print "OK, successfully used the password, moving on...\n\n"; + +#----------------------------------------------------------------------------- +# set the root password +#----------------------------------------------------------------------------- + +unless ($password) +{ + print "Setting the root password ensures that no one can log into MySQL\n"; + print "using the root user without the proper authorization.\n\n"; + + print "Set root password (Y/N)? "; + my $reply = <STDIN>; + chomp $reply; + print "\n"; + + if ($reply =~ /Y/i) + { + print "New password for root: "; + my $pass1 = <STDIN>; + chomp $pass1; + print "\n"; + + print "Re-enter new password for root: "; + my $pass2 = <STDIN>; + chomp $pass2; + print "\n"; + + unless ($pass1 eq $pass2) { die "Sorry, the passwords do not match."; } + + unless ($pass1) { die "Sorry, you can't use an empty password here."; } + + $conn->query("SET PASSWORD FOR root\@localhost=PASSWORD('$pass1')") + || die "Unable to set password."; + + print "OK, successfully set the password, moving on...\n\n"; + } + else + { + print "WARNING, the password is not set, moving on...\n\n"; + } +} + +#----------------------------------------------------------------------------- +# remove anonymous users +#----------------------------------------------------------------------------- + +print "By default, a MySQL installation has anonymous users, allowing anyone\n"; +print "to log into MySQL without having to have a user account created for\n"; +print "them. This is intended only for testing, and to make the installation\n"; +print "go a bit smoother. You should remove them before moving into a\n"; +print "production environment.\n\n"; + +print "Remove anonymous users (Y/N)? "; +my $reply = <STDIN>; +chomp $reply; +print "\n"; + +if ($reply =~ /Y/i) +{ + $conn->query("DELETE FROM mysql.user WHERE user=''") + || die "Unable to remove anonymous users."; + + print "OK, successfully removed anonymous users, moving on...\n\n"; +} +else +{ + print "WARNING, the anonymous users have not been removed, moving on...\n\n"; +} + +#----------------------------------------------------------------------------- +# disallow remote root login +#----------------------------------------------------------------------------- + +print "Normally, root should only be allowed to connect from 'localhost'. This\n"; +print "ensures that someone cannot guess at the root password from the network.\n\n"; + +print "Disallow remote root login (Y/N)? "; +my $reply = <STDIN>; +chomp $reply; +print "\n"; + +if ($reply =~ /Y/i) +{ + $conn->query("DELETE FROM mysql.user WHERE user='root' AND host!='localhost'") + || die "Unable to disallow remote root login."; + + print "OK, successfully disallowed remote root login, moving on...\n\n"; +} +else +{ + print "WARNING, remote root login has not been disallowed, moving on...\n\n"; +} + +#----------------------------------------------------------------------------- +# remove test database +#----------------------------------------------------------------------------- + +print "By default, MySQL comes with a database named 'test' that anyone can\n"; +print "access. This is intended only for testing, and should be removed\n"; +print "before moving into a production environment.\n\n"; + +print "Remove the test database (Y/N)? "; +my $reply = <STDIN>; +chomp $reply; +print "\n"; + +if ($reply =~ /Y/i) +{ + $conn->query("DROP DATABASE IF EXISTS test") + || die "Unable to remove test database."; + + $conn->query("DELETE FROM mysql.db WHERE db='test' OR db='test\\_%'") + || die "Unable to remove access to the test database."; + + print "OK, successfully removed the test database, moving on...\n\n"; +} +else +{ + print "WARNING, the test database has not been removed, moving on...\n\n"; +} + +#----------------------------------------------------------------------------- +# reload privilege tables +#----------------------------------------------------------------------------- + +print "Reloading the privilege tables will ensure that all changes made so far\n"; +print "will take effect immediately.\n\n"; + +print "Reload privilege tables (Y/N)? "; +my $reply = <STDIN>; +chomp $reply; +print "\n"; + +if ($reply =~ /Y/i) +{ + $conn->query("FLUSH PRIVILEGES") + || die "Unable to reload privilege tables."; + + print "OK, successfully reloaded privilege tables, moving on...\n\n"; +} +else +{ + print "WARNING, the privilege tables have not been reloaded, moving on...\n\n"; +} + +#----------------------------------------------------------------------------- +# done +#----------------------------------------------------------------------------- + +print "\n\nAll done! If you've completed all of the above steps, your MySQL\n"; +print "installation should now be secure.\n\n"; + +print "Thanks for using MySQL!\n\n"; + |