Différences

Ci-dessous, les différences entre deux révisions de la page.

--- mariadb_securisation [2023/07/05 19:18] – [Commande] pascal
+++ mariadb_securisation [2023/07/05 19:46] (Version actuelle) – [Mot de passe root] pascal
@@ Ligne 5: / Ligne 5: @@
 </code>
 Cette commande fait partie des packages mysql-server et mariadb-server.
-===== Contrôle =====
+===== Exécution de la commande =====
-==== Lancement du client ====
+==== Saisie du mot de passe root actuel ====
-<code bash>
+<code>
-root:~# mariadb
+NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
-Welcome to the MariaDB monitor.  Commands end with ; or \g.
+      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!
-Your MariaDB connection id is 31
-Server version: 10.11.3-MariaDB-1 Debian 12
-Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
+In order to log into MariaDB to secure it, we'll need the current
+password for the root user. If you've just installed MariaDB, and
+haven't set the root password yet, you should just press enter here.
-Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+Enter current password for root (enter for none):
+OK, successfully used password, moving on...
-MariaDB [(none)]>
 </code>
+Pas de mot de passe. le user root se connecte via socket sans mot de passe.
-==== Liste des bases ====
+==== Définition d'un mot de passe pour root ====
-<code bash>
+<code>
-MariaDB [(none)]> show databases;
-+---------------------+
-| Database            |
-+---------------------+
-| #mysql50#lost+found |
-| information_schema  |
-| mysql               |
-| performance_schema  |
-| sys                 |
-+---------------------+
-rows in set (0,001 sec)
-MariaDB [(none)]>
+Setting the root password or using the unix_socket ensures that nobody
+can log into the MariaDB root user without the proper authorisation.
+You already have your root account protected, so you can safely answer 'n'.
+Switch to unix_socket authentication [Y/n] n
+ ... skipping.
 </code>
+Il ne faut pas définir de mot de passe pour root afin de n'autoriser que les connexions par socket depuis le compte root de la machine.
+==== Définition d'un mot de passe pour root ====
+<code>
+You already have your root account protected, so you can safely answer 'n'.
-==== Liste des utilisateurs ====
+Change the root password? [Y/n] n
-<code bash>
+ ... skipping.
-MariaDB [(none)]> show databases;
+</code>
-MariaDB [mysql]> use mysql;
+<code>
-Database changed
+By default, a MariaDB installation has an anonymous user, allowing anyone
-MariaDB [mysql]> select Host, User, Password from user;
+to log into MariaDB without having to have a user account created for
-+-----------+-------------+----------+
+them.  This is intended only for testing, and to make the installation
-| Host      | User        | Password |
+go a bit smoother.  You should remove them before moving into a
-+-----------+-------------+----------+
+production environment.
-| localhost | mariadb.sys |          |
-| localhost | root        | invalid  |
-| localhost | mysql       | invalid  |
-+-----------+-------------+----------+
-rows in set (0,002 sec)
-MariaDB [mysql]>
+Remove anonymous users? [Y/n] Y
+ ... Success!
 </code>
-===== Configuration =====
+<code>
-<code bash file=/etc/mysql/mariadb.conf.d/99-local.cnf>
+Normally, root should only be allowed to connect from 'localhost'.  This
-[mysqld]
+ensures that someone cannot guess at the root password from the network.
-# Instead of skip-networking the default is now to listen only on
-# localhost which is more compatible and is not less secure.
+Disallow root login remotely? [Y/n] n
-bind-address            = 10.1.40.1
+ ... skipping.
 </code>
-Object, autoriser la connexion depuis les autres machines du réseau local.
+==== Suite de la commande ====
+<code>
+Setting the root password or using the unix_socket ensures that nobody
+can log into the MariaDB root user without the proper authorisation.
+You already have your root account protected, so you can safely answer 'n'.
+Switch to unix_socket authentication [Y/n] n
+ ... skipping.
+You already have your root account protected, so you can safely answer 'n'.
+Change the root password? [Y/n] n
+ ... skipping.
+By default, a MariaDB installation has an anonymous user, allowing anyone
+to log into MariaDB without having to have a user account created for
+them.  This is intended only for testing, and to make the installation
+go a bit smoother.  You should remove them before moving into a
+production environment.
+Remove anonymous users? [Y/n] Y
+ ... Success!
+Normally, root should only be allowed to connect from 'localhost'.  This
+ensures that someone cannot guess at the root password from the network.
+Disallow root login remotely? [Y/n] n
+ ... skipping.
+By default, MariaDB comes with a database named 'test' that anyone can
+access.  This is also intended only for testing, and should be removed
+before moving into a production environment.
+Remove test database and access to it? [Y/n] Y
+ - Dropping test database...
+ ... Success!
+ - Removing privileges on test database...
+ ... Success!
+Reloading the privilege tables will ensure that all changes made so far
+will take effect immediately.
+Reload privilege tables now? [Y/n] Y
+ ... Success!
+Cleaning up...
+All done!  If you've completed all of the above steps, your MariaDB
+installation should now be secure.
+</code>
 ===== Suite =====