summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
Diffstat (limited to 'scripts')
-rwxr-xr-xscripts/mariadb-service-convert2
-rw-r--r--scripts/mysql_install_db.sh40
-rw-r--r--scripts/mysql_system_tables_data.sql27
-rw-r--r--scripts/mysqld_safe.sh97
4 files changed, 94 insertions, 72 deletions
diff --git a/scripts/mariadb-service-convert b/scripts/mariadb-service-convert
index 42654f68420..83c92659144 100755
--- a/scripts/mariadb-service-convert
+++ b/scripts/mariadb-service-convert
@@ -16,7 +16,7 @@
#
# PURPOSE:
#
-# Used to generate a mariadb.service file based on the curent mysql/maridb settings
+# Used to generate a mariadb.service file based on the current mysql/mariadb settings
#
# This is to assist distro maintainers in migrating to systemd service definations from
# a user mysqld_safe settings in the my.cnf files.
diff --git a/scripts/mysql_install_db.sh b/scripts/mysql_install_db.sh
index 3b48dad649c..f8f4859e627 100644
--- a/scripts/mysql_install_db.sh
+++ b/scripts/mysql_install_db.sh
@@ -35,11 +35,26 @@ force=0
in_rpm=0
ip_only=0
cross_bootstrap=0
+install_params=""
+auth_root_authentication_method=normal
+auth_root_socket_user='root'
usage()
{
cat <<EOF
Usage: $0 [OPTIONS]
+ --auth-root-authentication-method=normal|socket
+ Chooses the authentication method for the created initial
+ root user. The default is 'normal' to creates a root user
+ that can login without password, which can be insecure.
+ The alternative 'socket' allows only the system root user
+ to login as MariaDB root; this requires the unix socket
+ authentication plugin.
+ --auth-root-socket-user=user
+ Used with --auth-root-authentication-method=socket. It
+ specifies the name of the MariaDB root account, as well
+ as of the system account allowed to access it. Defaults
+ to 'root'.
--basedir=path The path to the MariaDB installation directory.
--builddir=path If using --srcdir with out-of-directory builds, you
will need to set this to the location of the build
@@ -60,6 +75,8 @@ Usage: $0 [OPTIONS]
--defaults-file=path Read only this configuration file.
--rpm For internal use. This option is used by RPM files
during the MariaDB installation process.
+ --skip-auth-anonymous-user
+ Do not install an unprivileged anonymous user.
--skip-name-resolve Use IP addresses rather than hostnames when creating
grant table entries. This option can be useful if
your DNS does not work.
@@ -142,6 +159,17 @@ parse_arguments()
#
# --windows is a deprecated alias
cross_bootstrap=1 ;;
+ --skip-auth-anonymous-user)
+ install_params="$install_params
+SET @skip_auth_anonymous=1;" ;;
+ --auth-root-authentication-method=normal)
+ auth_root_authentication_method=normal ;;
+ --auth-root-authentication-method=socket)
+ auth_root_authentication_method=socket ;;
+ --auth-root-authentication-method=*)
+ usage ;;
+ --auth-root-socket-user=*)
+ auth_root_socket_user="$(parse_arg "$arg")" ;;
*)
if test -n "$pick_args"
@@ -431,7 +459,17 @@ mysqld_install_cmd_line()
# Create the system and help tables by passing them to "mysqld --bootstrap"
s_echo "Installing MariaDB/MySQL system tables in '$ldata' ..."
-if { echo "use mysql;"; cat "$create_system_tables" "$create_system_tables2" "$fill_system_tables" "$fill_help_tables" "$maria_add_gis_sp"; } | eval "$filter_cmd_line" | mysqld_install_cmd_line > /dev/null
+case "$auth_root_authentication_method" in
+ normal)
+ install_params="$install_params
+SET @skip_auth_root_nopasswd=NULL;
+SET @auth_root_socket=NULL;" ;;
+ socket)
+ install_params="$install_params
+SET @skip_auth_root_nopasswd=1;
+SET @auth_root_socket='$auth_root_socket_user';" ;;
+esac
+if { echo "use mysql;$install_params"; cat "$create_system_tables" "$create_system_tables2" "$fill_system_tables" "$fill_help_tables" "$maria_add_gis_sp"; } | eval "$filter_cmd_line" | mysqld_install_cmd_line > /dev/null
then
s_echo "OK"
else
diff --git a/scripts/mysql_system_tables_data.sql b/scripts/mysql_system_tables_data.sql
index 075aafd5e3b..9556e7ba160 100644
--- a/scripts/mysql_system_tables_data.sql
+++ b/scripts/mysql_system_tables_data.sql
@@ -38,15 +38,24 @@ DROP TABLE tmp_db;
-- Fill "user" table with default users allowing root access
-- from local machine if "user" table didn't exist before
-CREATE TEMPORARY TABLE tmp_user LIKE user;
-INSERT INTO tmp_user VALUES ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','','N', 'N','', 0);
-REPLACE INTO tmp_user SELECT @current_hostname,'root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','','N','N','',0 FROM dual WHERE @current_hostname != 'localhost';
-REPLACE INTO tmp_user VALUES ('127.0.0.1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','','N','N','',0);
-REPLACE INTO tmp_user VALUES ('::1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','','N','N', '', 0);
-INSERT INTO tmp_user (host,user) VALUES ('localhost','');
-INSERT INTO tmp_user (host,user) SELECT @current_hostname,'' FROM dual WHERE @current_hostname != 'localhost';
-INSERT INTO user SELECT * FROM tmp_user WHERE @had_user_table=0;
-DROP TABLE tmp_user;
+CREATE TEMPORARY TABLE tmp_user_nopasswd LIKE user;
+CREATE TEMPORARY TABLE tmp_user_socket LIKE user;
+CREATE TEMPORARY TABLE tmp_user_anonymous LIKE user;
+-- Classic passwordless root account.
+INSERT INTO tmp_user_nopasswd VALUES ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','','N', 'N','', 0);
+REPLACE INTO tmp_user_nopasswd SELECT @current_hostname,'root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','','N','N','',0 FROM dual WHERE @current_hostname != 'localhost';
+REPLACE INTO tmp_user_nopasswd VALUES ('127.0.0.1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','','N','N','',0);
+REPLACE INTO tmp_user_nopasswd VALUES ('::1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','','N','N', '', 0);
+-- More secure root account using unix sucket auth.
+INSERT INTO tmp_user_socket VALUES ('localhost',IFNULL(@auth_root_socket, 'root'),'','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'unix_socket','','N', 'N','', 0);
+-- Anonymous user with no privileges.
+INSERT INTO tmp_user_anonymous (host,user) VALUES ('localhost','');
+INSERT INTO tmp_user_anonymous (host,user) SELECT @current_hostname,'' FROM dual WHERE @current_hostname != 'localhost';
+
+INSERT INTO user SELECT * FROM tmp_user_nopasswd WHERE @had_user_table=0 AND @skip_auth_root_nopasswd IS NULL;
+INSERT INTO user SELECT * FROM tmp_user_socket WHERE @had_user_table=0 AND @auth_root_socket IS NOT NULL;
+INSERT INTO user SELECT * FROM tmp_user_anonymous WHERE @had_user_table=0 AND @skip_auth_anonymous IS NULL;
+DROP TABLE tmp_user_nopasswd, tmp_user_socket, tmp_user_anonymous;
CREATE TEMPORARY TABLE tmp_proxies_priv LIKE proxies_priv;
INSERT INTO tmp_proxies_priv VALUES ('localhost', 'root', '', '', TRUE, '', now());
diff --git a/scripts/mysqld_safe.sh b/scripts/mysqld_safe.sh
index 000271f7808..48baf61be3a 100644
--- a/scripts/mysqld_safe.sh
+++ b/scripts/mysqld_safe.sh
@@ -132,6 +132,18 @@ my_which ()
return $ret # Success
}
+find_in_bin() {
+ if test -x "$MY_BASEDIR_VERSION/bin/$1"
+ then
+ echo "$MY_BASEDIR_VERSION/bin/$1"
+ elif test -x "@bindir@/$1"
+ then
+ echo "@bindir@/$1"
+ else
+ echo "$1"
+ fi
+}
+
log_generic () {
[ $dry_run -eq 1 ] && return
priority="$1"
@@ -141,7 +153,7 @@ log_generic () {
echo "$msg"
case $logging in
init) ;; # Just echo the message, don't save it anywhere
- file) echo "$msg" >> "$err_log" ;;
+ file) echo "$msg" | "$helper" "$user" log "$err_log" ;;
syslog) logger -t "$syslog_tag_mysqld_safe" -p "$priority" "$*" ;;
*)
echo "Internal program error (non-fatal):" \
@@ -161,7 +173,7 @@ log_notice () {
eval_log_error () {
local cmd="$1"
case $logging in
- file) cmd="$cmd >> "`shell_quote_string "$err_log"`" 2>&1" ;;
+ file) cmd="$cmd 2>&1 | "`shell_quote_string "$helper"`" $user log "`shell_quote_string "$err_log"` ;;
syslog)
# mysqld often prefixes its messages with a timestamp, which is
# redundant when logging to syslog (which adds its own timestamp)
@@ -282,7 +294,6 @@ parse_arguments() {
for arg do
val=`echo "$arg" | sed -e "s;--[^=]*=;;"`
case "$arg" in
- --crash[-_]script=*) CRASH_SCRIPT="$val" ;;
# these get passed explicitly to mysqld
--basedir=*) MY_BASEDIR_VERSION="$val" ;;
--datadir=*|--data=*) DATADIR="$val" ;;
@@ -311,6 +322,7 @@ parse_arguments() {
--core[-_]file[-_]size=*) core_file_size="$val" ;;
--ledir=*) ledir="$val" ;;
--malloc[-_]lib=*) set_malloc_lib "$val" ;;
+ --crash[-_]script=*) crash_script="$val" ;;
--mysqld=*) MYSQLD="$val" ;;
--mysqld[-_]version=*)
if test -n "$val"
@@ -498,15 +510,8 @@ set_malloc_lib() {
# First, try to find BASEDIR and ledir (where mysqld is)
#
-if echo '@pkgdatadir@' | grep '^@prefix@' > /dev/null
-then
- relpkgdata=`echo '@pkgdatadir@' | sed -e 's,^@prefix@,,' -e 's,^/,,' -e 's,^,./,'`
-else
- # pkgdatadir is not relative to prefix
- relpkgdata='@pkgdatadir@'
-fi
-
-MY_PWD=`pwd`
+MY_PWD=`dirname $0`
+MY_PWD=`cd "$MY_PWD"/.. && pwd`
# Check for the directories we would expect from a binary release install
if test -n "$MY_BASEDIR_VERSION" -a -d "$MY_BASEDIR_VERSION"
then
@@ -522,16 +527,16 @@ then
else
ledir="$MY_BASEDIR_VERSION/bin"
fi
-elif test -f "$relpkgdata"/english/errmsg.sys -a -x "$MY_PWD/bin/mysqld"
+elif test -x "$MY_PWD/bin/mysqld"
then
MY_BASEDIR_VERSION="$MY_PWD" # Where bin, share and data are
ledir="$MY_PWD/bin" # Where mysqld is
# Check for the directories we would expect from a source install
-elif test -f "$relpkgdata"/english/errmsg.sys -a -x "$MY_PWD/libexec/mysqld"
+elif test -x "$MY_PWD/libexec/mysqld"
then
MY_BASEDIR_VERSION="$MY_PWD" # Where libexec, share and var are
ledir="$MY_PWD/libexec" # Where mysqld is
-elif test -f "$relpkgdata"/english/errmsg.sys -a -x "$MY_PWD/sbin/mysqld"
+elif test -x "$MY_PWD/sbin/mysqld"
then
MY_BASEDIR_VERSION="$MY_PWD" # Where sbin, share and var are
ledir="$MY_PWD/sbin" # Where mysqld is
@@ -541,6 +546,8 @@ else
ledir='@libexecdir@'
fi
+helper=`find_in_bin mysqld_safe_helper`
+print_defaults=`find_in_bin my_print_defaults`
#
# Second, try to find the data directory
@@ -571,34 +578,15 @@ $MY_BASEDIR_VERSION/my.cnf"
fi
export MYSQL_HOME
-
-# Get first arguments from the my.cnf file, groups [mysqld] and [mysqld_safe]
-# and then merge with the command line arguments
-if test -x "$MY_BASEDIR_VERSION/bin/my_print_defaults"
-then
- print_defaults="$MY_BASEDIR_VERSION/bin/my_print_defaults"
-elif test -x `dirname $0`/my_print_defaults
-then
- print_defaults="`dirname $0`/my_print_defaults"
-elif test -x ./bin/my_print_defaults
-then
- print_defaults="./bin/my_print_defaults"
-elif test -x @bindir@/my_print_defaults
-then
- print_defaults="@bindir@/my_print_defaults"
-elif test -x @bindir@/mysql_print_defaults
-then
- print_defaults="@bindir@/mysql_print_defaults"
-else
- print_defaults="my_print_defaults"
-fi
-
append_arg_to_args () {
args="$args "`shell_quote_string "$1"`
}
args=
+# Get first arguments from the my.cnf file, groups [mysqld] and [mysqld_safe]
+# and then merge with the command line arguments
+
SET_USER=2
parse_arguments `$print_defaults $defaults --loose-verbose --mysqld`
if test $SET_USER -eq 2
@@ -707,11 +695,6 @@ then
log_notice "Logging to '$err_log'."
logging=file
- if [ ! -f "$err_log" ]; then # if error log already exists,
- touch "$err_log" # we just append. otherwise,
- chmod "$fmode" "$err_log" # fix the permissions here!
- fi
-
else
if [ -n "$syslog_tag" ]
then
@@ -731,11 +714,6 @@ then
then
USER_OPTION="--user=$user"
fi
- # Change the err log to the right user, if it is in use
- if [ $want_syslog -eq 0 ]; then
- touch "$err_log"
- chown $user "$err_log"
- fi
if test -n "$open_files"
then
ulimit -n $open_files
@@ -973,10 +951,6 @@ cmd="$cmd $args"
# Avoid 'nohup: ignoring input' warning
test -n "$NOHUP_NICENESS" && cmd="$cmd < /dev/null"
-# close stdout and stderr, everything goes to $logging now
-exec 1>&-
-exec 2>&-
-
log_notice "Starting $MYSQLD daemon with databases from $DATADIR"
# variable to track the current number of "fast" (a.k.a. subsecond) restarts
@@ -986,6 +960,15 @@ max_fast_restarts=5
# flag whether a usable sleep command exists
have_sleep=1
+# close stdout and stderr, everything goes to $logging now
+if expr "${-}" : '.*x' > /dev/null
+then
+ :
+else
+ exec 1>&-
+ exec 2>&-
+fi
+
# maximum number of wsrep restarts
max_wsrep_restarts=0
@@ -1014,13 +997,6 @@ do
else
eval_log_error "$cmd"
fi
-
- if [ $want_syslog -eq 0 -a ! -f "$err_log" ]; then
- touch "$err_log" # hypothetical: log was renamed but not
- chown $user "$err_log" # flushed yet. we'd recreate it with
- chmod "$fmode" "$err_log" # wrong owner next time we log, so set
- fi # it up correctly while we can!
-
end_time=`date +%M%S`
if test ! -f "$pid_file" # This is removed if normal shutdown
@@ -1098,12 +1074,11 @@ do
fi
log_notice "mysqld restarted"
- if test -n "$CRASH_SCRIPT"
+ if test -n "$crash_script"
then
- crash_script_output=`$CRASH_SCRIPT 2>&1`
+ crash_script_output=`$crash_script 2>&1`
log_error "$crash_script_output"
fi
done
log_notice "mysqld from pid file $pid_file ended"
-