module-mysql/files/scripts/Debian/setmysqlpass.sh

#!/bin/sh

test -f /root/.my.cnf || exit 1

must_have ()
{
    # Here, using "which" would not be appropriate since it also depends on
    # PATH being set correctly. The type builtin command is unaffected by the
    # environment.
    type $1 >/dev/null
    if [ $? -ne 0 ]; then
        echo "Command '$1' not found, did you correctly set PATH ? Its current value is: $PATH" >&2
        exit 1
    fi
}

# Since this script is doing something rather unsafe with the database, we want
# to be really careful to have all the necessary tools before doing anything so
# that we don't end up in an inconsistent state.
must_have sleep
must_have mysql
must_have killall
must_have ls
must_have chown

rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/')

/usr/bin/mysqladmin -uroot --password="${rootpw}" status > /dev/null && echo "Nothing to do as the password already works" && exit 0

/etc/init.d/mysql stop

/usr/sbin/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql --log-bin=/var/lib/mysql/mysql-bin &
sleep 5
mysql -u root mysql <<EOF
UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost';
DELETE FROM mysql.user WHERE (User='root' AND Host!='localhost') OR USER='';
FLUSH PRIVILEGES;
EOF
killall mysqld
sleep 15
# chown to be on the safe side
ls -al /var/lib/mysql/mysql-bin.* &> /dev/null
[ $? == 0 ] && chown mysql.mysql /var/lib/mysql/mysql-bin.*
chown -R mysql.mysql /var/lib/mysql/data/

/etc/init.d/mysql start
add Debian support 2009-12-10 18:22:25 +01:00			`#!/bin/sh`

Avoid root password leak to process list The current procedure of setting the root MySQL password leaks the root password by giving it to the setmysqlpass.sh script on the command line. This means that during the couple of seconds that the script is executing, the password is visible in the process list! Since we're already writing the password in the /root/.my.cnf file, make the setmysqlpass.sh script parse this file to retrieve the password instead of receiving it from a command line argument. Also, in some shells the 'echo' command might appear in the process list. Use a heredoc notation to create the output without using a command. Signed-off-by: Gabriel Filion <lelutin@gmail.com> 2010-12-14 18:10:54 +01:00			`test -f /root/.my.cnf \|\| exit 1`

setmysqlpass: be more careful before plundering into action Since this script is rooting the database, it'd be good to use a little more precaution so that we don't let systems be in an inconsistent case when crashing. In cases where the PATH variable is not appropriately set (variable is empty by default when script is invoked by puppet) the script shuts down mysql and then is not able to call most commands. 2013-11-15 09:19:40 +01:00			`must_have ()`
			`{`
			`# Here, using "which" would not be appropriate since it also depends on`
			`# PATH being set correctly. The type builtin command is unaffected by the`
			`# environment.`
			`type $1 >/dev/null`
			`if [ $? -ne 0 ]; then`
			`echo "Command '$1' not found, did you correctly set PATH ? Its current value is: $PATH" >&2`
			`exit 1`
			`fi`
			`}`

			`# Since this script is doing something rather unsafe with the database, we want`
			`# to be really careful to have all the necessary tools before doing anything so`
			`# that we don't end up in an inconsistent state.`
			`must_have sleep`
			`must_have mysql`
			`must_have killall`
			`must_have ls`
			`must_have chown`

Avoid root password leak to process list The current procedure of setting the root MySQL password leaks the root password by giving it to the setmysqlpass.sh script on the command line. This means that during the couple of seconds that the script is executing, the password is visible in the process list! Since we're already writing the password in the /root/.my.cnf file, make the setmysqlpass.sh script parse this file to retrieve the password instead of receiving it from a command line argument. Also, in some shells the 'echo' command might appear in the process list. Use a heredoc notation to create the output without using a command. Signed-off-by: Gabriel Filion <lelutin@gmail.com> 2010-12-14 18:10:54 +01:00			`rootpw=$(grep password /root/.my.cnf \| sed -e 's/^[^=]= \(.\) /\1/')`
add Debian support 2009-12-10 18:22:25 +01:00
fix #6638 - remove the unless check & improve script To workaround a limitation of the exec provider within puppet, we do the unless check no within the script itself and ensure that we use the password there. https://labs.riseup.net/code/issues/6638 2014-02-05 22:34:17 +01:00			`/usr/bin/mysqladmin -uroot --password="${rootpw}" status > /dev/null && echo "Nothing to do as the password already works" && exit 0`

add Debian support 2009-12-10 18:22:25 +01:00			`/etc/init.d/mysql stop`

			`/usr/sbin/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql --log-bin=/var/lib/mysql/mysql-bin &`
			`sleep 5`
Avoid root password leak to process list The current procedure of setting the root MySQL password leaks the root password by giving it to the setmysqlpass.sh script on the command line. This means that during the couple of seconds that the script is executing, the password is visible in the process list! Since we're already writing the password in the /root/.my.cnf file, make the setmysqlpass.sh script parse this file to retrieve the password instead of receiving it from a command line argument. Also, in some shells the 'echo' command might appear in the process list. Use a heredoc notation to create the output without using a command. Signed-off-by: Gabriel Filion <lelutin@gmail.com> 2010-12-14 18:10:54 +01:00			`mysql -u root mysql <<EOF`
			`UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost';`
fix issues for EL7 + simplify account security * EL7 uses mariadb & systemd -> adjust setpasswd script to that * move the security ensurance to the setpassword script, as it's easier to ensure that there 2015-01-24 18:05:08 +01:00			`DELETE FROM mysql.user WHERE (User='root' AND Host!='localhost') OR USER='';`
Avoid root password leak to process list The current procedure of setting the root MySQL password leaks the root password by giving it to the setmysqlpass.sh script on the command line. This means that during the couple of seconds that the script is executing, the password is visible in the process list! Since we're already writing the password in the /root/.my.cnf file, make the setmysqlpass.sh script parse this file to retrieve the password instead of receiving it from a command line argument. Also, in some shells the 'echo' command might appear in the process list. Use a heredoc notation to create the output without using a command. Signed-off-by: Gabriel Filion <lelutin@gmail.com> 2010-12-14 18:10:54 +01:00			`FLUSH PRIVILEGES;`
			`EOF`
add Debian support 2009-12-10 18:22:25 +01:00			`killall mysqld`
increase timeout before killing to account for slower startup speed of larger databases 2010-09-22 18:55:10 +02:00			`sleep 15`
add Debian support 2009-12-10 18:22:25 +01:00			`# chown to be on the safe side`
			`ls -al /var/lib/mysql/mysql-bin.* &> /dev/null`
			`[ $? == 0 ] && chown mysql.mysql /var/lib/mysql/mysql-bin.*`
also chown the data dir 2013-12-04 23:19:09 +01:00			`chown -R mysql.mysql /var/lib/mysql/data/`
add Debian support 2009-12-10 18:22:25 +01:00
			`/etc/init.d/mysql start`