From e31cdd6b68632b0cb3012ccd74caf96e21d85fa7 Mon Sep 17 00:00:00 2001 From: allan Date: Fri, 28 Nov 2025 11:23:08 +0000 Subject: [PATCH] initial commit --- LICENSE | 21 ++++++ README.md | 197 +++++++++++++++++++++++++++++++++++++++++++++++++++ last-tested | 4 ++ mysqlinstall | 130 +++++++++++++++++++++++++++++++++ 4 files changed, 352 insertions(+) create mode 100644 LICENSE create mode 100644 README.md create mode 100644 last-tested create mode 100755 mysqlinstall diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..3eaaa81 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2025 Allan Christensen + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..087e5d8 --- /dev/null +++ b/README.md @@ -0,0 +1,197 @@ +# MySQL for Ubuntu 24.04 Server +[![OS](https://img.shields.io/badge/ubuntu-24.04-E95420)](#) +[![Shell](https://img.shields.io/badge/shell-bash-121011)](#) +[![MySQL](https://img.shields.io/badge/db-mysql-4479A1)](#) +[![Auth](https://img.shields.io/badge/auth-no_socket-blue)](#) +[![License](https://img.shields.io/badge/License-MIT-green)](./LICENSE) + +Automated Bash installer for **MySQL on Ubuntu 24.04**, configured for password-only authentication +(no `auth_socket`, no silent root login, no surprises). + +This is a **production-focused installer**, not a lab toy. +Run it once → MySQL is installed, hardened, and ready for real workloads. + +--- + +## What this installer does + +✔ Installs MySQL Server + Client +✔ Forces **password authentication for root** (`mysql_native_password`) +✔ Removes anonymous users and the test database +✔ Disables remote root access +✔ Creates `/root/.my.cnf` for passwordless root CLI access +✔ Runs non-interactively (no `mysql_secure_installation` wizard) +✔ Safe to re-run — existing data is not dropped + +--- + +## Requirements + +You need: + +✔ Ubuntu 24.04 Server (or equivalent) +✔ Root access (direct or via `sudo`) +✔ No existing MySQL service already running + +If MySQL is already running, the script will exit to avoid damaging an existing installation. + +--- + +## 1. Prepare the system + +``` +sudo apt update -y +``` + +--- + +## 2. Download the installer + +``` +git clone https://git.x-files.dk/database/mysql-ubuntu.git +cd mysql-ubuntu +``` + +--- + +## 3. Install MySQL + +``` +sudo ./mysqlinstall -p +``` + +Example: + +``` +sudo ./mysqlinstall -p StrongRootPass1986 +``` + +The `-p` flag is **required**. If omitted, the script exits with an error. + +--- + +## Authentication Mode (Default) + +This installer configures MySQL to use **password-based authentication only** for the `root` user. + +| Mode | Status | Notes | +|---|---|---| +| `mysql_native_password` | ✔ Enabled | Root must use a password | +| `auth_socket` | ✘ Disabled | No implicit root login via socket | + +This makes MySQL easier to use with: + +- GUI tools (DBeaver, HeidiSQL, etc.) +- Remote automation (Ansible, backup scripts) +- Other services that expect TCP + password auth + +--- + +## Security Hardening (Automatic) + +The script applies hardening equivalent to `mysql_secure_installation`: + +| Task | Status | +|---|---| +| Remove anonymous users | ✔ | +| Disallow remote root login | ✔ | +| Drop `test` database | ✔ | +| Remove `test_%` databases | ✔ | +| Flush privileges | ✔ | + +--- + +## Post‑Install Login + +Because `/root/.my.cnf` is created, you can log in as root with: + +``` +mysql +``` + +Or explicitly: + +``` +mysql -u root -p +``` + +Credentials file: + +``` +/root/.my.cnf +``` + +File mode is set to `400` (root read‑only). + +--- + +## Switching Authentication Modes + +### 1. Switch back to socket authentication (optional) + +If you prefer the default Ubuntu‑style **socket auth** for root (no password when local), run: + +``` +sudo mysql +ALTER USER 'root'@'localhost' IDENTIFIED WITH auth_socket; +FLUSH PRIVILEGES; +``` + +After this: + +``` +mysql # works without password (as root on the server) +mysql -p # will fail unless you set a password again +``` + +Because this installer created `/root/.my.cnf`, you should **remove it** when switching back to socket auth to avoid confusing clients and tools: + +``` +rm -f /root/.my.cnf +``` + +Otherwise, tools that rely on `/root/.my.cnf` may try password auth while MySQL expects socket auth, leading to login errors. + +### 2. Switch from socket auth back to password auth + +If you later decide to restore password‑based login again: + +``` +sudo mysql +ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'YourNewPasswordHere'; +FLUSH PRIVILEGES; +``` + +Then recreate `/root/.my.cnf` if desired: + +``` +cat > /root/.my.cnf <\n" +printf -- " sudo ./mysqlinstall -h (help)\n\n" +printf -- "Example:\n" +printf -- " sudo ./mysqlinstall -p SuperSecret123\n\n" +} + +clear + +# +# Argument check +# +if [[ $# -eq 0 ]]; then usage ; printf "ERROR: -p REQUIRED!\n\n" ; exit 1 ; fi + +while [[ $# -gt 0 ]]; do + case "$1" in + -p) + shift + [[ -z "$1" ]] && usage && printf "ERROR: ROOT PASSWORD REQUIRED!\n\n" && exit 1 + rootpwd="$1" + shift + ;; + -h) + usage ; exit 0 ;; + *) + usage ; printf "\nType: sudo %s -h for help\n\n" "$0" ; exit 1 ;; + esac +done + +# +# Final sanity check +# +if [[ -z "$rootpwd" ]]; then usage ; printf "\nERROR: Missing -p \n\n" ; exit 1 ; fi + +# +# Password: disallow spaces and backslashes, warn about weak passwords +# +if [[ "$rootpwd" =~ [[:space:]] ]]; then + printf "\nERROR: Password cannot contain spaces.\n\n" + exit 1 +fi +if [[ "$rootpwd" =~ [\\] ]]; then + printf "\nERROR: Password cannot contain backslashes (\\).\n\n" + exit 1 +fi + +# +# Install MySQL +# +apt install -y mysql-server mysql-client + +# +# Configure MySQL authentication (native password, no socket auth) +# +mysql --execute="ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '${rootpwd}'; FLUSH PRIVILEGES;" + +# +# Harden MySQL installation +# +mysql -u root -p"${rootpwd}" <<'EOF' +-- Remove anonymous users +DELETE FROM mysql.user WHERE User=''; + +-- Remove remote root access +DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); + +-- Drop test database +DROP DATABASE IF EXISTS test; + +-- Remove test DB privileges +DELETE FROM mysql.db WHERE Db='test' OR Db LIKE 'test_%'; + +-- Apply changes +FLUSH PRIVILEGES; +EOF + +# +# Create /root/.my.cnf +# +cat > /root/.my.cnf <