/etc/mysql/my.cnf
sudo install -d -m 751 -o mysql -g mysql \
/home/mysql
+ sudo rm -rf /etc/mysql
+ sudo install -d -m 750 -o mysql -g mysql \
+ /etc/mysql \
+ /home/mysql/etc
+ sudo ln -fns \
+ /etc/mysql \
+ /home/mysql/etc/mysql
if sudo test ! -d /home/mysql/data
then
sudo install -d -m 750 -o mysql -g mysql-data \
/home/mysql/data
sudo -u mysql mysql_install_db \
- --no-defaults \
- --datadir=/home/mysql/data
+ --datadir=/home/mysql/data \
+ --no-defaults
fi
sudo service tmpfs restart
+ sudo insserv -r mysql
case $(sudo sv status mysql || true) in
(''|run:*|*"s, normally up;"*)
sudo sv restart mysql
case $(sudo inotifywait -e create -- /run/mysqld/sock/) in
("/run/mysqld/sock/ CREATE mysql")
# NOTE:
- # - ajoute l'accès par socket Unix à root
+ # - ajoute l'accès par socket Unix à mysql
+ # - ajoute les droits de super-utilisateur à mysql
# - supprime l'accès par mot-de-passe à root
# - supprime les bases de données de l'utilisateurice anonyme
# - supprime l'utilisateurice anonyme
# DELETE FROM mysql.user WHERE user = 'root' AND host NOT IN ('localhost', '127.0.0.1', '::1');
sudo mysql -u root --batch --verbose <<-EOF
DELETE FROM mysql.user WHERE user = 'root' and plugin = '';
- GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED WITH auth_socket;
- UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='root';
+ GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' IDENTIFIED WITH auth_socket;
+ UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='mysql';
DELETE FROM mysql.db WHERE user = '';
DELETE FROM mysql.user WHERE user = '';
FLUSH PRIVILEGES;
esac
}
rule_mysql_db_add () { # SYNTAX: $user $db
- sudo mysql --batch -u root <<-EOF
+ sudo -u mysql mysql --batch <<-EOF
DROP DATABASE IF EXISTS $db;
CREATE DATABASE $db CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL PRIVILEGES ON $base.* TO '$user'@'localhost' IDENTIFIED WITH auth_socket;
EOF
}
rule_mysql_user_add () { # SYNTAX: $user
- sudo mysql --batch -u root <<-EOF
+ sudo mysql -u mysql --batch <<-EOF || true
DROP USER '$user'@'localhost';
+ EOF
+ sudo mysql -u mysql --batch <<-EOF
CREATE USER '$user'@'localhost' IDENTIFIED WITH auth_socket;
EOF
}
sudo service postfix restart
}
rule_postgresql_configure () {
+ # DOC: http://wiki.postgresql.org/wiki/Shared_Database_Hosting
rule apt_get_install postgresql-9.1
- if [ ! -d /var/lib/postgresql/9.1/ ]; then
- pg_createcluster -u postgres --start 9.1 main
- fi
- sudo install -m 660 -o root -g root \
- "$tool"/etc/postgresql/9.1/main/postgresql.conf \
- /etc/postgresql/9.1/main/postgresql.conf
- sudo service postgresql restart
+ rule adduser postgres \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/postgresql \
+ --shell /bin/false \
+ --system
+ rule adduser postgres-data \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/postgresql/data \
+ --no-create-home \
+ --shell /bin/false \
+ --system
+ sudo usermod --home /home/postgresql postgres
+ sudo adduser postgres postgres-data
+ sudo rm -rf \
+ /etc/postgresql
+ sudo install -d -m 750 -o postgres -g postgres \
+ /home/postgresql \
+ /home/postgresql/etc \
+ /etc/postgresql \
+ /etc/postgresql/9.1 \
+ /etc/postgresql/9.1/main
+ sudo ln -fns \
+ /etc/postgresql \
+ /home/postgresql/etc/postgresql
+ sudo install -d -m 751 -o postgres -g postgres \
+ /home/postgresql/log \
+ /home/postgresql/log/9.1
+ sudo service tmpfs restart
+ if sudo test ! -d /home/postgresql/data
+ then
+ sudo install -d -m 750 -o postgres -g postgres \
+ /home/postgresql/data
+ (
+ cd /
+ sudo -u postgres pg_createcluster \
+ --datadir=/home/postgresql/data \
+ --logfile=/home/postgresql/log/9.1/main \
+ --socketdir=/run/postgresql/sock \
+ --start 9.1 main
+ )
+ fi
+ sudo install -m 770 -o postgres -g postgres /dev/stdin \
+ /etc/postgresql/9.1/main/pg_hba.conf <<-EOF
+ local all postgres peer
+ local all all peer
+ EOF
+ sudo install -m 660 -o postgres -g postgres \
+ "$tool"/etc/postgresql/9.1/main/postgresql.conf \
+ /etc/postgresql/9.1/main/postgresql.conf
+ sudo insserv -r postgresql
+ case $(sudo sv status postgres || true) in
+ (''|run:*|*"s, normally up;"*)
+ sudo sv restart postgres
+ (
+ cd /
+ case $(sudo inotifywait -e create -- /run/postgresql/sock/) in
+ ("/run/postgresql/sock/ CREATE .s.PGSQL."*)
+ # NOTE:
+ # - supprime l'accès au schéma public depuis public,
+ # de sorte à ce que les différents utilisateurices
+ # ne voient pas leurs bases de données entre-elleux ;
+ # - ajoute le support de PL/PGSQL
+ sudo -u postgres psql template1 -f - <<-EOF
+ REVOKE ALL ON DATABASE template1 FROM public;
+ REVOKE ALL ON SCHEMA public FROM public;
+ GRANT ALL ON SCHEMA public TO postgres;
+ CREATE LANGUAGE plpgsql;
+ EOF
+ # NOTE:
+ # - supprime l'accès à la liste des bases données
+ # et utilisateurices depuis public.
+ sudo -u postgres psql template1 -f - <<-EOF
+ REVOKE ALL ON pg_auth_members FROM public;
+ REVOKE ALL ON pg_authid FROM public;
+ REVOKE ALL ON pg_database FROM public;
+ REVOKE ALL ON pg_group FROM public;
+ REVOKE ALL ON pg_roles FROM public;
+ REVOKE ALL ON pg_settings FROM public;
+ REVOKE ALL ON pg_tablespace FROM public;
+ REVOKE ALL ON pg_user FROM public;
+ EOF
+ ;;
+ esac
+ )
+ ;;
+ esac
+ }
+rule_postgresql_db_add () { # SYNTAX: $db $db_user
+ local db="$1" db_user="$2"
+ sudo -u postgresql psql template1 -f - <<-EOF
+ CREATE ROLE $db NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT NOLOGIN;
+ CREATE ROLE $db_user NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ENCRYPTED;
+ GRANT $db TO $db_user;
+ CREATE DATABASE $db WITH OWNER=$db_user;
+ REVOKE ALL ON DATABASE $db FROM public;
+ EOF
+ }
+rule_postgresql_db_user_add () { # SYNTAX: $db $user
+ local db="$1" user="$2"
+ sudo -u postgresql psql template1 -f - <<-EOF
+ CREATE ROLE $user NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ENCRYPTED;
+ GRANT USAGE ON SCHEMA public TO $user;
+ GRANT CONNECT,TEMPORARY ON DATABASE $db TO $user;
+ GRANT $db TO $user;
+ EOF
}
rule_openerp_configure () {
sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
dépôts / lhc / ateliers.git / blobdiff