commit 09c25bfa3c02fe77f33e16ec8a4fcc0788fa8eef Author: allan Date: Thu Oct 16 16:16:46 2025 +0200 initial commit diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..3eaaa81 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2025 Allan Christensen + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..e8432ba --- /dev/null +++ b/README.md @@ -0,0 +1,66 @@ +# MariaDB for Ubuntu 24.04 Server +[![OS](https://img.shields.io/badge/ubuntu-24.04-E95420)](#) +[![Shell](https://img.shields.io/badge/shell-bash-121011)](#) +[![DB](https://img.shields.io/badge/server-mariadb-003545)](#) +[![Auth](https://img.shields.io/badge/auth-socket-blue)](#) +[![License](https://img.shields.io/badge/License-MIT-green)](./LICENSE) + +Automated Bash installer script for deploying MariaDB on Ubuntu 24.04 Server using **socket authentication** for the root account and creating a dedicated **local-only admin user** supplied at runtime. + +This is a **production-focused installer**, not a demo. + +--- + +### Preparing +Update your package index before running the installer: + +``` +sudo apt update -y +``` + +### Download the Script +Clone the repository from your Git server: +``` +git clone https://git.x-files.dk/database-server/mariadb-ubuntu.git +``` + +``` +cd mariadb-ubuntu +``` + +### Usage +Run the script with your chosen admin username and password: +``` +sudo ./mariadbinstall -u -p +``` + +### Example +```bash +sudo ./mariadbinstall -u mydbuser -p "StrongPassword123" +``` + +> **IMPORTANT** +> Always enclose the password in quotes if it contains special characters such as `$`, `!`, or `&`. + +--- + +### Notes +- No `mysql_secure_installation` needed — this scipt is performing the equivalent hardening. +- The created admin user is **restricted to localhost only** for security. +- Root remains socket-authenticated by default. + +> **On a side note** +> I know that on modern Ubuntu systems `mysql_secure_installation` isn’t strictly necessary anymore — but a bit of paranoia helps me sleep at night. That’s why the script still runs through the whole `mysql_secure_installation` ritual. It’s not that it’s required — I just don’t want anyone blaming me because it *wasn’t* done. + +--- + +### More Information + +More guides and documentation can be found on [wiki.x-files.dk](https://wiki.x-files.dk) + +--- + +### License +Licensed under the [MIT License](./LICENSE). + +--- diff --git a/last-tested b/last-tested new file mode 100644 index 0000000..3f1f6ef --- /dev/null +++ b/last-tested @@ -0,0 +1,4 @@ +------------------------------------ +Last tested: 15-10-2025 (DD-MM-YYYY) +Environment: Ubuntu Server 24.04 LTS +------------------------------------ diff --git a/mariadbinstall b/mariadbinstall new file mode 100755 index 0000000..fe20f10 --- /dev/null +++ b/mariadbinstall @@ -0,0 +1,178 @@ +#!/usr/bin/env bash + +# Author : Allan Christensen +# First Created : 05012022 (DD-MM-YYYY) +# Description : Installs MariaDB with socket auth on Ubuntu 24.04 +# License : MIT License (see LICENSE file for details) + +# +# Are we root +# +if [[ $(id -u) -ne 0 ]]; then echo "" && echo "Must be root or use sudo" && echo "" ; exit 1 ; fi + +# +# Define variables +# +mariaconfig="/etc/mysql/mariadb.conf.d/50-server.cnf" + +# +# Function to check if a service is already running or not +# +serviceyes () { printf "\n%s" $service ; printf " is already running cannot continue...\n\n"; } +servicealive () { status=$(systemctl is-active $service); if [[ "$status" == "active" ]]; then serviceyes ; exit 1; fi; } + +# +# Function usage +# +usage () { +printf -- "\nmariadbinstall\n\n" +printf -- "Installs and configures MariaDB on Ubuntu 24.04\n" +printf -- "Note: Must be run as root or using sudo\n\n" +printf -- "Usage:\n" +printf -- " sudo ./mariadbinstall -u -p \n" +printf -- " sudo ./mariadbinstall -h (help screen)\n\n" +printf -- "Example:\n" +printf -- " sudo ./mariadbinstall -u adminuser -p strongpass\n\n" +} + +# +# If MariaDB is already running then die +# +service="mariadb" ; servicealive + +# +# Let's go +# +clear + +# +# Check if no arguments were given or if -u og -p is missing or malformed +# +if [[ $# -eq 0 ]]; then usage ; printf "ERROR: -u and -p REQUIRED!\n\n" ; exit 1 ; fi + +# +# Parse arguments +# +while [[ $# -gt 0 ]]; do + case "$1" in + -u) + shift + if [[ -z "$1" ]]; then + usage + printf "ERROR: USERNAME CANNOT BE EMPTY!\n\n" + exit 1 + fi + adminuser="$1" + shift + ;; + -p) + shift + if [[ -z "$1" ]]; then + usage + printf "ERROR: PASSWORD CANNOT BE EMPTY!\n\n" + exit 1 + fi + adminpwd="$1" + shift + ;; + -h) + usage + exit 0 + ;; + *) + usage + printf "\nType: sudo %s -h for help\n\n" "$0" + exit 1 + ;; + esac +done + +# +# Final sanity check +# +if [[ -z "$adminuser" || -z "$adminpwd" ]]; then usage ; printf "\nERROR: Both -u and -p arguments are mandatory!\n\n" ; exit 1 ; fi + +# +# Username: only allow a-zA-Z0-9_.- +# +if [[ ! "$adminuser" =~ ^[a-zA-Z0-9_.-]+$ ]]; then + printf "\nERROR: Username contains invalid characters.\n" + printf "Allowed characters: letters, digits, dot (.), underscore (_), and dash (-)\n\n" + exit 1 +fi + +# +# Password: disallow spaces and backslashes, warn about weak passwords +# +if [[ "$adminpwd" =~ [[:space:]] ]]; then + printf "\nERROR: Password cannot contain spaces.\n\n" + exit 1 +fi +if [[ "$adminpwd" =~ [\\] ]]; then + printf "\nERROR: Password cannot contain backslashes (\\).\n\n" + exit 1 +fi + +# +# Install MariaDB +# +apt install -y mariadb-server mariadb-client + +# +# Setting up error log comment this out if you don't need error log +# +sed -i '/#log_error = \/var\/log\/mysql\/error.log/ s/^.//' "$mariaconfig" + +# +# Apply MariaDB hardening (non-interactive, safe for socket auth) +# +mysql --force 2>/dev/null <<'EOF' +-- Remove anonymous users +DELETE FROM mysql.global_priv WHERE User=''; + +-- Remove remote root access +DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); + +-- Drop test database +DROP DATABASE IF EXISTS test; + +-- Remove test DB privileges +DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'; + +-- Apply changes +FLUSH PRIVILEGES; +EOF + +# +# Create admin user root remains socket-authenticated by default +# +mysql --force 2>/dev/null < "$secretfile" ; chmod 400 "$secretfile" + +# +# All done +# +printf "\nAll Done...\n\n" +printf -- "--------------------------------------------\n" +printf " Admin User : %s\n" "$adminuser" +printf " Admin Pass : %s\n" "$adminpwd" +printf -- "--------------------------------------------\n\n" +printf "Credentials have been saved to: %s\n" "$secretfile" +printf "Make sure to DELETE this once you are ready!\n\n" + +# +# End of script +#