commit 3f36f2abed296aaa1c3aba21ec970b38ab65193b Author: allan Date: Fri Dec 19 14:52:14 2025 +0100 latest commit diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..3eaaa81 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2025 Allan Christensen + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..1be2744 --- /dev/null +++ b/README.md @@ -0,0 +1,82 @@ +# MariaDB for Ubuntu 24.04 Server +[![OS](https://img.shields.io/badge/ubuntu-24.04-E95420)](#) +[![Shell](https://img.shields.io/badge/shell-bash-121011)](#) +[![DB](https://img.shields.io/badge/server-mariadb-003545)](#) +[![Auth](https://img.shields.io/badge/auth-socket-blue)](#) +[![License](https://img.shields.io/badge/License-MIT-green)](./LICENSE) + +Install MariaDB on Ubuntu 24.04 server. + +This is not a demo and not a quick experiment. +This is a production-ready installer with consistent security and repeatability. + +## Why this installer exists +The default MariaDB setup is easy — securing it properly is where most installations fail. + +## What this installer does +✔ Enables root socket authentication +✔ Blocks remote login by default +✔ Creates admin account automatically +✔ Mirrors mysql_secure_installation hardening +✔ Supports optional password mode +✔ Safe to re-run without data loss + +## What this installer does *NOT* do +It won’t stop you from running the script without reading the documentation like there’s no tomorrow. +Skip the README, and whatever happens next is your headache, not a bug report. + +## 1. Prepare the system + +``` +sudo apt update -y +``` + +## 2. Download the installer + +``` +git clone https://git.x-files.dk/database/mariadb-ubuntu.git +``` + +``` +cd mariadb-ubuntu +``` + +## 3. Run the installer + +``` +sudo ./mariadbinstall -u -p +``` + +Example: + +``` +sudo ./mariadbinstall -u mydbuser -p "StrongPassword123" +``` + +> **IMPORTANT** +> Wrap the password in quotes if it contains special symbols. + +## Switch to password authentication (optional) + +``` +sudo mariadb +ALTER USER 'root'@'localhost' IDENTIFIED BY 'YourStrongPasswordHere'; +FLUSH PRIVILEGES; +``` + +## Verification + +``` +mariadb -u -p -e "SELECT VERSION();" +``` + +### More Information + +More guides and documentation can be found on [wiki.x-files.dk](https://wiki.x-files.dk) + +--- + +### License +Licensed under the [MIT License](./LICENSE). + +--- diff --git a/last-tested b/last-tested new file mode 100644 index 0000000..02156f4 --- /dev/null +++ b/last-tested @@ -0,0 +1,4 @@ +------------------------------------ +Last tested: 19-12-2025 (DD-MM-YYYY) +Environment: Ubuntu Server 24.04 LTS +------------------------------------ diff --git a/mariadbinstall b/mariadbinstall new file mode 100755 index 0000000..5e2b3d5 --- /dev/null +++ b/mariadbinstall @@ -0,0 +1,185 @@ +#!/usr/bin/env bash + +# Author : Allan Christensen +# First Created : 05-01-2022 (DD-MM-YYYY) +# Description : Installs MariaDB with socket auth on Ubuntu 24.04 +# License : MIT License + +# +# Are we root +# +if [[ $(id -u) -ne 0 ]]; then echo "" && echo "Must be root or use sudo" && echo "" ; exit 1 ; fi + +# +# Check if services are already running +# +for svc in mariadb; do if systemctl is-active --quiet "$svc"; then printf "\n%s is already running, cannot continue...\n\n" "${svc^}" ; exit 1 ; fi ; done + +# +# Define variables +# +mariaconfig="/etc/mysql/mariadb.conf.d/50-server.cnf" + +# +# Function usage +# +usage () { +printf -- "\nmariadbinstall\n\n" +printf -- "Installs and configures MariaDB on Ubuntu 24.04\n" +printf -- "Note: Must be run as root or using sudo\n\n" +printf -- "Usage:\n" +printf -- " sudo ./mariadbinstall -u -p \n" +printf -- " sudo ./mariadbinstall -h (help screen)\n\n" +printf -- "Example:\n" +printf -- " sudo ./mariadbinstall -u adminuser -p strongpass\n\n" +} + +# +# Let's go +# +clear + +# +# Check if no arguments were given or if -u or -p is missing or malformed +# +if [[ $# -eq 0 ]]; then usage ; printf "ERROR: -u and -p REQUIRED!\n\n" ; exit 1 ; fi + +# +# Parse arguments +# +while [[ $# -gt 0 ]]; do + case "$1" in + -u) + shift + if [[ -z "$1" ]]; then + usage + printf "ERROR: USERNAME CANNOT BE EMPTY!\n\n" + exit 1 + fi + adminuser="$1" + shift + ;; + -p) + shift + if [[ -z "$1" ]]; then + usage + printf "ERROR: PASSWORD CANNOT BE EMPTY!\n\n" + exit 1 + fi + adminpwd="$1" + shift + ;; + -h) + usage + exit 0 + ;; + *) + usage + printf "\nType: sudo %s -h for help\n\n" "$0" + exit 1 + ;; + esac +done + +# +# Final sanity check +# +if [[ -z "$adminuser" || -z "$adminpwd" ]]; then usage ; printf "\nERROR: Both -u and -p arguments are mandatory!\n\n" ; exit 1 ; fi + + +# +# Prevent overriding root socket authentication +# +if [[ "$adminuser" == "root" ]]; then + printf "\nERROR: The root user already exists and uses socket authentication.\n" + printf "Do not assign a password to it — this would break socket login.\n" + printf "Use a different username (e.g., admin, dbadmin, or anything else).\n\n" + exit 1 +fi + +# +# Username should only allow a-zA-Z0-9_.- +# +if [[ ! "$adminuser" =~ ^[a-zA-Z0-9_.-]+$ ]]; then + printf "\nERROR: Username contains invalid characters.\n" + printf "Allowed characters: letters, digits, dot (.), underscore (_), and dash (-)\n\n" + exit 1 +fi + +# +# Password disallow spaces and backslashes +# +if [[ "$adminpwd" =~ [[:space:]] ]]; then + printf "\nERROR: Password cannot contain spaces.\n\n" + exit 1 +fi +if [[ "$adminpwd" =~ [\\] ]]; then + printf "\nERROR: Password cannot contain backslashes (\\).\n\n" + exit 1 +fi + +# +# Install MariaDB +# +apt install -y mariadb-server mariadb-client + +# +# Setting up error log comment this out if you don't need error log +# +logdir="/var/log/mysql" +if [[ ! -d "$logdir" ]]; then mkdir -m 2750 "$logdir" ; chown mysql:mysql "$logdir" ; fi +sed -i '/#log_error = \/var\/log\/mysql\/error.log/ s/^.//' "$mariaconfig" + +# +# Apply MariaDB hardening (non-interactive, safe for socket auth) +# +mysql --force 2>/dev/null <<'EOF' +-- Remove anonymous users +DELETE FROM mysql.global_priv WHERE User=''; + +-- Remove remote root access +DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); + +-- Drop test database +DROP DATABASE IF EXISTS test; + +-- Remove test DB privileges +DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'; + +-- Apply changes +FLUSH PRIVILEGES; +EOF + +# +# Create admin user root remains socket-authenticated by default +# +mysql --force 2>/dev/null < "$secretfile" ; chmod 400 "$secretfile" + +# +# All done +# +printf "\nAll Done...\n\n" +printf -- "--------------------------------------------\n" +printf " Admin User : %s\n" "$adminuser" +printf " Admin Pass : %s\n" "$adminpwd" +printf -- "--------------------------------------------\n\n" +printf "Credentials have been saved to: %s\n" "$secretfile" +printf "Make sure to DELETE this once you are ready!\n\n" + +# +# End of script +#