#----------------------------------------------------------------------------- # Copyright (C) 2002 MySQL AB and Jeremy Cole # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #----------------------------------------------------------------------------- #----------------------------------------------------------------------------- # This notice applies to changes, created by or for Novell, Inc., # to preexisting works for which notices appear elsewhere in this file. # Copyright (c) 2003 Novell, Inc. All Rights Reserved. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #----------------------------------------------------------------------------- use strict; use Mysql; print "MySQL Secure Installation Script\n\n"; print "NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL\n"; print " SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!\n\n"; #----------------------------------------------------------------------------- # get the current root password #----------------------------------------------------------------------------- print "In order to log into MySQL to secure it, we'll need the current\n"; print "password for the root user. If you've just installed MySQL, and\n"; print "you haven't set the root password yet, the password will be blank,\n"; print "so you should just press enter here.\n\n"; print "Enter the current password for root: "; my $password = ; chomp $password; print "\n"; my $conn = Mysql->connect("localhost", "mysql", "root", $password) || die "Unable to connect to MySQL."; print "OK, successfully used the password, moving on...\n\n"; #----------------------------------------------------------------------------- # set the root password #----------------------------------------------------------------------------- unless ($password) { print "Setting the root password ensures that no one can log into MySQL\n"; print "using the root user without the proper authorization.\n\n"; print "Set root password (Y/N)? "; my $reply = ; chomp $reply; print "\n"; if ($reply =~ /Y/i) { print "New password for root: "; my $pass1 = ; chomp $pass1; print "\n"; print "Re-enter new password for root: "; my $pass2 = ; chomp $pass2; print "\n"; unless ($pass1 eq $pass2) { die "Sorry, the passwords do not match."; } unless ($pass1) { die "Sorry, you can't use an empty password here."; } $conn->query("SET PASSWORD FOR root\@localhost=PASSWORD('$pass1')") || die "Unable to set password."; print "OK, successfully set the password, moving on...\n\n"; } else { print "WARNING, the password is not set, moving on...\n\n"; } } #----------------------------------------------------------------------------- # remove anonymous users #----------------------------------------------------------------------------- print "By default, a MySQL installation has anonymous users, allowing anyone\n"; print "to log into MySQL without having to have a user account created for\n"; print "them. This is intended only for testing, and to make the installation\n"; print "go a bit smoother. You should remove them before moving into a\n"; print "production environment.\n\n"; print "Remove anonymous users (Y/N)? "; my $reply = ; chomp $reply; print "\n"; if ($reply =~ /Y/i) { $conn->query("DELETE FROM mysql.user WHERE user=''") || die "Unable to remove anonymous users."; print "OK, successfully removed anonymous users, moving on...\n\n"; } else { print "WARNING, the anonymous users have not been removed, moving on...\n\n"; } #----------------------------------------------------------------------------- # disallow remote root login #----------------------------------------------------------------------------- print "Normally, root should only be allowed to connect from 'localhost'. This\n"; print "ensures that someone cannot guess at the root password from the network.\n\n"; print "Disallow remote root login (Y/N)? "; my $reply = ; chomp $reply; print "\n"; if ($reply =~ /Y/i) { $conn->query("DELETE FROM mysql.user WHERE user='root' AND host!='localhost'") || die "Unable to disallow remote root login."; print "OK, successfully disallowed remote root login, moving on...\n\n"; } else { print "WARNING, remote root login has not been disallowed, moving on...\n\n"; } #----------------------------------------------------------------------------- # remove test database #----------------------------------------------------------------------------- print "By default, MySQL comes with a database named 'test' that anyone can\n"; print "access. This is intended only for testing, and should be removed\n"; print "before moving into a production environment.\n\n"; print "Remove the test database (Y/N)? "; my $reply = ; chomp $reply; print "\n"; if ($reply =~ /Y/i) { $conn->query("DROP DATABASE IF EXISTS test") || die "Unable to remove test database."; $conn->query("DELETE FROM mysql.db WHERE db='test' OR db='test\\_%'") || die "Unable to remove access to the test database."; print "OK, successfully removed the test database, moving on...\n\n"; } else { print "WARNING, the test database has not been removed, moving on...\n\n"; } #----------------------------------------------------------------------------- # reload privilege tables #----------------------------------------------------------------------------- print "Reloading the privilege tables will ensure that all changes made so far\n"; print "will take effect immediately.\n\n"; print "Reload privilege tables (Y/N)? "; my $reply = ; chomp $reply; print "\n"; if ($reply =~ /Y/i) { $conn->query("FLUSH PRIVILEGES") || die "Unable to reload privilege tables."; print "OK, successfully reloaded privilege tables, moving on...\n\n"; } else { print "WARNING, the privilege tables have not been reloaded, moving on...\n\n"; } #----------------------------------------------------------------------------- # done #----------------------------------------------------------------------------- print "\n\nAll done! If you've completed all of the above steps, your MySQL\n"; print "installation should now be secure.\n\n"; print "Thanks for using MySQL!\n\n";