summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
Diffstat (limited to 'scripts')
-rwxr-xr-xscripts/CMakeLists.txt2
-rw-r--r--scripts/Makefile.am1
-rwxr-xr-xscripts/make_win_bin_dist4
-rwxr-xr-xscripts/mysql_secure_installation.pl.in352
4 files changed, 356 insertions, 3 deletions
diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt
index 8d369a6ab22..d7bcb8fd4e7 100755
--- a/scripts/CMakeLists.txt
+++ b/scripts/CMakeLists.txt
@@ -67,7 +67,7 @@ CONFIGURE_FILE(mysql_explain_log.sh
CONFIGURE_FILE(mysql_install_db.pl.in
scripts/mysql_install_db.pl ESCAPE_QUOTES @ONLY)
-CONFIGURE_FILE(mysql_secure_installation.sh
+CONFIGURE_FILE(mysql_secure_installation.pl.in
scripts/mysql_secure_installation.pl ESCAPE_QUOTES @ONLY)
CONFIGURE_FILE(mysql_tableinfo.sh
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index 769c0f5fdba..87170b46675 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -55,6 +55,7 @@ EXTRA_SCRIPTS = make_binary_distribution.sh \
mysql_install_db.pl.in \
mysql_setpermission.sh \
mysql_secure_installation.sh \
+ mysql_secure_installation.pl.in \
mysql_zap.sh \
mysqlaccess.sh \
mysqlbug.sh \
diff --git a/scripts/make_win_bin_dist b/scripts/make_win_bin_dist
index b9a0842473b..56510dc857b 100755
--- a/scripts/make_win_bin_dist
+++ b/scripts/make_win_bin_dist
@@ -353,8 +353,8 @@ cp -pR sql/share $DESTDIR/
cp -pR sql-bench $DESTDIR/
rm -f $DESTDIR/sql-bench/*.sh $DESTDIR/sql-bench/Makefile*
-# The SQL initialisation code is really expected to be in "share"
-mv $DESTDIR/scripts/*.sql $DESTDIR/share/
+# The SQL initialisation code is to be in "share"
+cp scripts/*.sql $DESTDIR/share/
# ----------------------------------------------------------------------
# Clean up from possibly copied SCCS directories
diff --git a/scripts/mysql_secure_installation.pl.in b/scripts/mysql_secure_installation.pl.in
new file mode 100755
index 00000000000..4eeb50e6d2f
--- /dev/null
+++ b/scripts/mysql_secure_installation.pl.in
@@ -0,0 +1,352 @@
+#!/usr/bin/perl
+# -*- cperl -*-
+#
+# Copyright (C) 2002 MySQL AB and Jeremy Cole
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+use Fcntl;
+use strict;
+
+my $config = ".my.cnf.$$";
+my $command = ".mysql.$$";
+my $hadpass = 0;
+
+# FIXME
+# trap "interrupt" 2
+
+my $rootpass = "";
+
+sub echo_on {
+ if ($^O eq 'MSWin32') {
+ ReadMode('normal');
+ } else {
+ system("stty echo");
+ }
+}
+
+sub echo_off {
+ if ($^O eq 'MSWin32') {
+ ReadMode('noecho');
+ } else {
+ system("stty -echo");
+ }
+}
+
+sub write_file {
+ my $file = shift;
+ -f $file or die "ERROR: file is missing \"$file\": $!";
+ open(FILE, ">$file") or die "ERROR: can't write to file \"$file\": $!";
+ foreach my $line ( @_ ) {
+ print FILE $line, "\n"; # Add EOL char
+ }
+ close FILE;
+}
+
+sub prepare {
+ foreach my $file ( $config, $command ) {
+ next if -f $file; # Already exists
+ local *FILE;
+ sysopen(FILE, $file, O_CREAT, 0600)
+ or die "ERROR: can't create $file: $!";
+ close FILE;
+ }
+}
+
+sub do_query {
+ my $query = shift;
+ write_file($command, $query);
+ system("mysql --defaults-file=$config < $command");
+ return $?;
+}
+
+sub make_config {
+ my $password = shift;
+
+ write_file($config,
+ "# mysql_secure_installation config file",
+ "[mysql]",
+ "user=root",
+ "password=$rootpass");
+}
+
+sub get_root_password {
+ my $status = 1;
+ while ( $status == 1 ) {
+ echo_off();
+ print "Enter current password for root (enter for none): ";
+ my $password = <STDIN>;
+ echo_on();
+ if ( $password ) {
+ $hadpass = 1;
+ } else {
+ $hadpass = 0;
+ }
+ $rootpass = $password;
+ make_config($rootpass);
+ do_query("");
+ $status = $?;
+ }
+ print "OK, successfully used password, moving on...\n\n";
+}
+
+sub set_root_password {
+ echo_off();
+ print "New password: ";
+ my $password1 = <STDIN>;
+ print "\nRe-enter new password: ";
+ my $password2 = <STDIN>;
+ print "\n";
+ echo_on();
+
+ if ( $password1 eq $password2 ) {
+ print "Sorry, passwords do not match.\n\n";
+ return 1;
+ }
+
+ if ( !$password1 ) {
+ print "Sorry, you can't use an empty password here.\n\n";
+ return 1;
+ }
+
+ do_query("UPDATE mysql.user SET Password=PASSWORD('$password1') WHERE User='root';");
+ if ( $? == 0 ) {
+ print "Password updated successfully!\n";
+ print "Reloading privilege tables..\n";
+ if ( !reload_privilege_tables() ) {
+ exit 1;
+ }
+ print "\n";
+ $rootpass = $password1;
+ make_config($rootpass);
+ } else {
+ print "Password update failed!\n";
+ exit 1;
+ }
+
+ return 0;
+}
+
+sub remove_anonymous_users {
+ do_query("DELETE FROM mysql.user WHERE User='';");
+ if ( $? == 0 ) {
+ print " ... Success!\n";
+ } else {
+ print " ... Failed!\n";
+ exit 1;
+ }
+
+ return 0;
+}
+
+sub remove_remote_root {
+ do_query("DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';");
+ if ( $? == 0 ) {
+ print " ... Success!\n";
+ } else {
+ print " ... Failed!\n";
+ }
+}
+
+sub remove_test_database {
+ print " - Dropping test database...\n";
+ do_query("DROP DATABASE test;");
+ if ( $? == 0 ) {
+ print " ... Success!\n";
+ } else {
+ print " ... Failed! Not critical, keep moving...\n";
+ }
+
+ print " - Removing privileges on test database...\n";
+ do_query("DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'");
+ if ( $? == 0 ) {
+ print " ... Success!\n";
+ } else {
+ print " ... Failed! Not critical, keep moving...\n";
+ }
+
+ return 0;
+}
+
+sub reload_privilege_tables {
+ do_query("FLUSH PRIVILEGES;");
+ if ( $? == 0 ) {
+ print " ... Success!\n";
+ return 0;
+ } else {
+ print " ... Failed!\n";
+ return 1;
+ }
+}
+
+sub interrupt {
+ print "\nAborting!\n\n";
+ cleanup();
+ echo_on();
+ exit 1;
+}
+
+sub cleanup {
+ print "Cleaning up...\n";
+ unlink($config,$command);
+}
+
+
+# The actual script starts here
+
+prepare();
+
+print <<HERE;
+
+
+
+NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
+ SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
+
+In order to log into MySQL to secure it, we'll need the current
+password for the root user. If you've just installed MySQL, and
+you haven't set the root password yet, the password will be blank,
+so you should just press enter here.
+
+HERE
+
+get_root_password();
+
+
+#
+# Set the root password
+#
+
+print "Setting the root password ensures that nobody can log into the MySQL\n";
+print "root user without the proper authorisation.\n\n";
+
+if ( $hadpass == 0 ) {
+ print "Set root password? [Y/n] ";
+} else {
+ print "You already have a root password set, so you can safely answer 'n'.\n\n";
+ print "Change the root password? [Y/n] ";
+}
+
+my $reply = <STDIN>;
+if ( $reply =~ /n/i ) {
+ print " ... skipping.\n";
+} else {
+ my $status = 1;
+ while ( $status == 1 ) {
+ set_root_password();
+ $status = $?;
+ }
+}
+print "\n";
+
+
+#
+# Remove anonymous users
+#
+
+print <<HERE;
+By default, a MySQL installation has an anonymous user, allowing anyone
+to log into MySQL without having to have a user account created for
+them. This is intended only for testing, and to make the installation
+go a bit smoother. You should remove them before moving into a
+production environment.
+
+HERE
+
+print "Remove anonymous users? [Y/n] ";
+$reply = <STDIN>;
+if ( $reply =~ /n/i ) {
+ print " ... skipping.\n";
+} else {
+ remove_anonymous_users();
+}
+print "\n";
+
+
+#
+# Disallow remote root login
+#
+
+print <<HERE;
+Normally, root should only be allowed to connect from 'localhost'. This
+ensures that someone cannot guess at the root password from the network.
+
+HERE
+
+print "Disallow root login remotely? [Y/n] ";
+$reply = <STDIN>;
+if ( $reply =~ /n/i ) {
+ print " ... skipping.\n";
+} else {
+ remove_remote_root();
+}
+print "\n";
+
+
+#
+# Remove test database
+#
+
+print <<HERE;
+By default, MySQL comes with a database named 'test' that anyone can
+access. This is also intended only for testing, and should be removed
+before moving into a production environment.
+
+HERE
+
+print "Remove test database and access to it? [Y/n] ";
+$reply = <STDIN>;
+if ( $reply =~ /n/i ) {
+ print " ... skipping.\n";
+} else {
+ remove_test_database();
+}
+print "\n";
+
+
+#
+# Reload privilege tables
+#
+
+print <<HERE;
+Reloading the privilege tables will ensure that all changes made so far
+will take effect immediately.
+
+HERE
+
+print "Reload privilege tables now? [Y/n] ";
+$reply = <STDIN>;
+if ( $reply =~ /n/i ) {
+ print " ... skipping.\n";
+} else {
+ reload_privilege_tables();
+}
+print "\n";
+
+cleanup();
+
+print <<HERE;
+
+
+
+All done! If you've completed all of the above steps, your MySQL
+installation should now be secure.
+
+Thanks for using MySQL!
+
+
+HERE
+
+
+