File: //scripts.20110531.215904.25158/securemysql
#!/usr/bin/perl
# cpanel - securemysql Copyright(c) 2010 cPanel, Inc.
# All rights Reserved.
# copyright@cpanel.net http://cpanel.net
# This code is subject to the cPanel license. Unauthorized copying is prohibited
BEGIN { unshift @INC, '/usr/local/cpanel'; }
use strict;
use Getopt::Std;
use Cpanel::DIp ();
use Cpanel::DbUtils ();
use Cpanel::MysqlUtils ();
# Only run if executed by root
exit if ( $> != 0 );
# Don't run if MySQL is not used
exit if ( -e '/etc/securemysqldisable' || -e '/etc/mysqldisable' );
my $version = qq{0.2};
my $verbose = 1;
my $fast = 0;
my $help = 0;
my $actions = q{};
my %options;
getopts( 'qFha:', \%options );
if ( exists $options{'q'} ) {
$verbose = 0;
}
if ( exists $options{'F'} ) {
$fast = 1;
}
if ( exists $options{'h'} ) {
$help = 1;
}
if ( exists $options{'a'} ) {
$actions = $options{'a'};
if ( !defined $actions || $actions eq '' ) { $actions = 'all'; }
}
my @actions;
if ( $actions ne 'all' && $actions ne '' ) {
$actions =~ s{ [^a-z0-9,]+ }{}gxms;
@actions = split /,/, $actions;
}
my $actionsall = 0;
if ( $actions eq 'all' || grep m{ \A all \z }xms, @actions ) { $actionsall = 1; }
if ($actionsall) { print "Performing all actions.\n" if $verbose; }
my %actions = (
'removeanon' => $actionsall,
'removetestdb' => $actionsall,
'removelockntmp' => $actionsall,
'removeremoteroot' => $actionsall,
'removehordeallhosts' => $actionsall,
'removehordeblankpass' => $actionsall,
);
foreach my $action (@actions) {
if ( exists $actions{$action} || $actionsall ) { $actions{$action} = 1; }
elsif ($verbose) { print "Invalid action $action ignored.\n"; }
}
if ( !-t STDOUT ) { $verbose = 0; }
if ( $help || ( $verbose && !$fast ) ) {
print <<"EOM";
securemysql $version
Options:
-q - Quiet execution
-F - Bypass the help message
-a - Specify additional actions (comma separated list), or blank for all
-h - Print this message and exit.
This script attempts to secure the MySQL configuration by doing the following:
(always executed) Ensure root password for MySQL is set.
(always executed) Changes ownership of /var/db/mysql or /var/lib/mysql to mysql
Additionally, the following actions can be specified:
[optional]
removeanon - Remove any anonymous users
removetestdb - Remove test database
removelockntmp - Remove global lock tables and create tmp table privileges from users
removeremoteroot - Remove remote root login
removehordeallhosts - Remove insecure horde login and privileges
removehordeblankpass - Remove horde users with blank password
Examples:
./securemysql -q -F -a removeanon,removetestdb,removelockntmp,removeremoteroot
./securemysql -q -F -a "removeanon, removetestdb, removelockntmp"
./securemysql -q -F -aremovehordeallhosts
EOM
exit if $help;
sleep 5;
}
my $useremotemysql = 0;
my $mysqlrootcnf = '/root/.my.cnf';
# Get MySQL host
if ( -e $mysqlrootcnf ) {
my $remotehost = q{};
if ( open my $mycnf_fh, '<', $mysqlrootcnf ) {
while (<$mycnf_fh>) {
chomp;
if (/^host=(\S+)/) {
$remotehost = $1;
}
}
close $mycnf_fh;
if ( $remotehost ne '' ) {
$remotehost =~ s/^\"|\"$//g;
if ( $remotehost ne '' ) {
$remotehost = lc $remotehost;
if ( $remotehost ne 'localhost' ) {
if ( $remotehost =~ /^\d+\.\d+\.\d+\.\d+$/ ) {
# Using IP
if ( $remotehost ne '127.0.0.1'
&& $remotehost ne Cpanel::DIp::getmainserverip()
&& $remotehost ne Cpanel::DIp::getmainip() ) {
$useremotemysql = 1;
}
}
else {
$useremotemysql = 1;
}
}
}
}
}
}
if ($useremotemysql) {
print "Remote MySQL configured. Exiting.\n" if $verbose;
exit;
}
# Set db ownership
my $mysqldatadir = Cpanel::MysqlUtils::getmysqldir();
system( 'chown', '-R', 'mysql', $mysqldatadir ) if -d $mysqldatadir;
# This will force a password reset if password is wrong/blank
my $mysqlruncheck = `/scripts/restartsrv_mysql --check`;
chomp $mysqlruncheck;
# Ensure /root/.my.cnf perms
chown 0, 0, $mysqlrootcnf;
chmod 0600, $mysqlrootcnf;
if ( defined($mysqlruncheck) && $mysqlruncheck ne '' ) {
die "Unable to reset root MySQL password.";
}
# Check to see if actions specified
my @values = values %actions;
my $val = 0;
foreach (@values) { $val += $_; }
if ($val) {
my $mysqlbin = Cpanel::DbUtils::find_mysql();
open( MYSQL, '|-' ) || exec( $mysqlbin, '-u', 'root', 'mysql' );
if ( $actions{'removeanon'} ) {
print "Removing anonymous users ... " if $verbose;
print MYSQL qq{DELETE FROM mysql.user WHERE User='';\n};
print "Done\n" if $verbose;
}
if ( $actions{'removeremoteroot'} ) {
print "Removing remote root login ... " if $verbose;
print MYSQL qq{DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';\n};
print "Done\n" if $verbose;
}
if ( $actions{'removelockntmp'} ) {
print "Dropping global lock tables and create tmp tables permissions ... " if $verbose;
print MYSQL qq{UPDATE mysql.user SET Lock_tables_priv='N',Create_tmp_table_priv='N' WHERE User!='root';\n};
print "Done\n" if $verbose;
}
if ( $actions{'removehordeallhosts'} ) {
print "Removing insecure horde login ... " if $verbose;
print MYSQL qq{DELETE FROM mysql.user WHERE User='horde' AND Host='%';\n};
print MYSQL qq{DELETE FROM mysql.db WHERE User='horde' AND Host='%';\n};
print MYSQL qq{DELETE FROM mysql.tables_priv WHERE User='horde' AND Host='%';\n};
print MYSQL qq{DELETE FROM mysql.columns_priv WHERE User='horde' AND Host='%';\n};
print "Done\n" if $verbose;
}
if ( $actions{'removehordeblankpass'} ) {
print "Removing horde user entries with blank password ... " if $verbose;
print MYSQL qq{DELETE FROM mysql.user WHERE User='horde' AND Password='';\n};
print "Done\n" if $verbose;
}
if ( $actions{'removetestdb'} ) {
print "Removing all privileges for test db ... " if $verbose;
print MYSQL qq{DELETE FROM mysql.db WHERE Db LIKE 'test%' AND User='';\n};
print "Done\n" if $verbose;
}
print "Flushing privileges table ... " if $verbose;
print MYSQL qq{FLUSH PRIVILEGES;\n};
print "Done.\n" if $verbose;
# This needs to be last because if the db 'test' doesn't exist, then
# mysql client exits.
if ( $actions{'removetestdb'} ) {
print "Dropping test database... " if $verbose;
print MYSQL qq{DROP DATABASE test;\n};
print "Done\n" if $verbose;
print "An error message similar to:\n" if $verbose;
print "\tERROR 1008 at line 9: Can't drop database 'test'. Database doesn't exist\n" if $verbose;
print "can safely be ignored.\n" if $verbose;
}
close(MYSQL);
}