Différences

Ci-dessous, les différences entre deux révisions de la page.

--- mariadb_securisation [2023/07/05 19:19] – [Contrôle] pascal
+++ mariadb_securisation [2023/07/05 19:46] (Version actuelle) – [Mot de passe root] pascal
@@ Ligne 6: / Ligne 6: @@
 Cette commande fait partie des packages mysql-server et mariadb-server.
 ===== Exécution de la commande =====
+==== Saisie du mot de passe root actuel ====
 <code>
+NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
+      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!
+In order to log into MariaDB to secure it, we'll need the current
+password for the root user. If you've just installed MariaDB, and
+haven't set the root password yet, you should just press enter here.
+Enter current password for root (enter for none):
+OK, successfully used password, moving on...
 </code>
-==== Lancement du client ====
+Pas de mot de passe. le user root se connecte via socket sans mot de passe.
-<code bash>
-root:~# mariadb
-Welcome to the MariaDB monitor.  Commands end with ; or \g.
-Your MariaDB connection id is 31
-Server version: 10.11.3-MariaDB-1 Debian 12
-Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
+==== Définition d'un mot de passe pour root ====
+<code>
-Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+Setting the root password or using the unix_socket ensures that nobody
+can log into the MariaDB root user without the proper authorisation.
-MariaDB [(none)]>
+You already have your root account protected, so you can safely answer 'n'.
+Switch to unix_socket authentication [Y/n] n
+ ... skipping.
 </code>
+Il ne faut pas définir de mot de passe pour root afin de n'autoriser que les connexions par socket depuis le compte root de la machine.
+==== Définition d'un mot de passe pour root ====
+<code>
+You already have your root account protected, so you can safely answer 'n'.
-==== Liste des bases ====
+Change the root password? [Y/n] n
-<code bash>
+ ... skipping.
-MariaDB [(none)]> show databases;
+</code>
-+---------------------+
+<code>
-| Database            |
+By default, a MariaDB installation has an anonymous user, allowing anyone
-+---------------------+
+to log into MariaDB without having to have a user account created for
-| #mysql50#lost+found |
+them.  This is intended only for testing, and to make the installation
-| information_schema  |
+go a bit smoother.  You should remove them before moving into a
-| mysql               |
+production environment.
-| performance_schema  |
-| sys                 |
-+---------------------+
-rows in set (0,001 sec)
-MariaDB [(none)]>
+Remove anonymous users? [Y/n] Y
+ ... Success!
 </code>
+<code>
+Normally, root should only be allowed to connect from 'localhost'.  This
+ensures that someone cannot guess at the root password from the network.
-==== Liste des utilisateurs ====
+Disallow root login remotely? [Y/n] n
-<code bash>
+ ... skipping.
-MariaDB [(none)]> show databases;
+</code>
-MariaDB [mysql]> use mysql;
+==== Suite de la commande ====
-Database changed
+<code>
-MariaDB [mysql]> select Host, User, Password from user;
-+-----------+-------------+----------+
+Setting the root password or using the unix_socket ensures that nobody
-| Host      | User        | Password |
+can log into the MariaDB root user without the proper authorisation.
-+-----------+-------------+----------+
-| localhost | mariadb.sys |          |
+You already have your root account protected, so you can safely answer 'n'.
-| localhost | root        | invalid  |
-| localhost | mysql       | invalid  |
+Switch to unix_socket authentication [Y/n] n
-+-----------+-------------+----------+
+ ... skipping.
-rows in set (0,002 sec)
+You already have your root account protected, so you can safely answer 'n'.
+Change the root password? [Y/n] n
+ ... skipping.
+By default, a MariaDB installation has an anonymous user, allowing anyone
+to log into MariaDB without having to have a user account created for
+them.  This is intended only for testing, and to make the installation
+go a bit smoother.  You should remove them before moving into a
+production environment.
+Remove anonymous users? [Y/n] Y
+ ... Success!
+Normally, root should only be allowed to connect from 'localhost'.  This
+ensures that someone cannot guess at the root password from the network.
+Disallow root login remotely? [Y/n] n
+ ... skipping.
+By default, MariaDB comes with a database named 'test' that anyone can
+access.  This is also intended only for testing, and should be removed
+before moving into a production environment.
+Remove test database and access to it? [Y/n] Y
+ - Dropping test database...
+ ... Success!
+ - Removing privileges on test database...
+ ... Success!
+Reloading the privilege tables will ensure that all changes made so far
+will take effect immediately.
+Reload privilege tables now? [Y/n] Y
+ ... Success!
+Cleaning up...
+All done!  If you've completed all of the above steps, your MariaDB
+installation should now be secure.
-MariaDB [mysql]>
 </code>
-===== Configuration =====
-<code bash file=/etc/mysql/mariadb.conf.d/99-local.cnf>
-[mysqld]
-# Instead of skip-networking the default is now to listen only on
-# localhost which is more compatible and is not less secure.
-bind-address            = 10.1.40.1
-</code>
-Object, autoriser la connexion depuis les autres machines du réseau local.
 ===== Suite =====