From f9ba7dd1602369f2e919736402c80bbe6eb06d8a Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+burette@autogeree.net>
Date: Fri, 29 Mar 2013 14:34:48 +0100
Subject: [PATCH] =?utf8?q?Correction=20:=20vm=5Fhosted=20:=20rule=5Fmysql?=
 =?utf8?q?=5Fconfigure=20:=20s=C3=A9curise.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

---
 TODO             |  3 ++
 etc/mysql/my.cnf | 85 +++++++++++++++++++++++++++---------------------
 etc/sv/mysql/run |  2 +-
 vm_hosted        | 50 ++++++++++++++++++++++++----
 4 files changed, 96 insertions(+), 44 deletions(-)

diff --git a/TODO b/TODO
index db25539..e973feb 100644
--- a/TODO
+++ b/TODO
@@ -15,3 +15,6 @@
 - sympa
 - openerp : runit + squelette
 - gitolite : rationalisation des adresses de notification dans hooks.mailinglist
+- ansible ?
+- varnish ?
+- gitolite : gÃ©rer les anciens dÃ©pÃ´ts
diff --git a/etc/mysql/my.cnf b/etc/mysql/my.cnf
index 8fa1de4..fb1b3cb 100644
--- a/etc/mysql/my.cnf
+++ b/etc/mysql/my.cnf
@@ -1,51 +1,62 @@
 [client]
-port		= 3306
-socket		= /run/mysqld/sock/mysql
+local-infile = 0
+port = 3306
+socket = /run/mysqld/sock/mysql
 [mysqld_safe]
-nice		= 0
-socket		= /run/mysqld/sock/mysql
+nice = 0
+socket = /run/mysqld/sock/mysql
 [mysqld]
 # chroot = /var/lib/mysql/
 # ssl-ca=/etc/mysql/cacert.pem
 # ssl-cert=/etc/mysql/server-cert.pem
 # ssl-key=/etc/mysql/server-key.pem
-basedir		= /usr
-bind-address		= 127.0.0.1
-#binlog_do_db		= include_database_name
-#binlog_ignore_db	= include_database_name
-datadir		= /home/mysql
-expire_logs_days	= 10
-#general_log             = 1
-#general_log_file        = /var/log/mysql/mysql.log
-key_buffer		= 16M
-lc-messages-dir	= /usr/share/mysql
-#log-queries-not-using-indexes
-#log_bin			= /var/log/mysql/mysql-bin.log
-#log_slow_queries	= /var/log/mysql/mysql-slow.log
-#long_query_time = 2
-max_allowed_packet	= 16M
-max_binlog_size         = 100M
-#max_connections        = 100
-myisam-recover         = BACKUP
-#pid-file	= /run/mysqld/pid/mysql
-port		= 3306
-query_cache_limit	= 1M
-query_cache_size        = 16M
-#server-id		= 1
+basedir = /usr
+bind-address = 127.0.0.1
+# binlog_do_db = include_database_name
+# binlog_ignore_db = include_database_name
+datadir = /home/mysql
+expire_logs_days = 10
+# general_log = 1
+# general_log_file = /var/log/mysql/mysql.log
+key_buffer = 16M
+lc-messages-dir = /usr/share/mysql
+local-infile = 0
+ # NOTE: disable the use of the "LOAD DATA LOCAL INFILE" command,
+ # which will help to prevent unauthorized reading from local files.
+ # This is especially important when new SQL injection vulnerabilities
+ # in PHP applications are found.
+# log-queries-not-using-indexes
+# log_bin = /var/log/mysql/mysql-bin.log
+# log_slow_queries = /var/log/mysql/mysql-slow.log
+# long_query_time = 2
+max_allowed_packet = 16M
+max_binlog_size = 100M
+# max_connections = 100
+myisam-recover = BACKUP
+# pid-file = /run/mysqld.pid
+plugin-load = auth_socket=auth_socket.so
+port = 3306
+query_cache_limit = 1M
+query_cache_size = 16M
+# server-id = 1
 skip-external-locking
-#socket		= /run/mysqld/sock/mysql
-#table_cache            = 64
-thread_cache_size       = 8
-#thread_concurrency     = 10
-thread_stack		= 192K
-tmpdir		= /tmp
-user		= mysql
+skip-networking
+skip-show-database
+# socket = /run/mysqld/sock/mysql
+# table_cache = 64
+thread_cache_size = 8
+# thread_concurrency = 10
+thread_stack = 192K
+tmpdir = /tmp
+user = mysql
 [mysqldump]
-max_allowed_packet	= 16M
+max_allowed_packet = 16M
 quick
 quote-names
 [mysql]
-#no-auto-rehash	# faster start of mysql but no tab completition
+# no-auto-rehash # NOTE: faster start of mysql but no tab completition
 [isamchk]
-key_buffer		= 16M
+key_buffer = 16M
 !includedir /etc/mysql/conf.d/
+
+# vim: ft=conf
diff --git a/etc/sv/mysql/run b/etc/sv/mysql/run
index fdaad1a..6a4b625 100755
--- a/etc/sv/mysql/run
+++ b/etc/sv/mysql/run
@@ -6,7 +6,7 @@ exec /usr/bin/chpst \
  -u "$sv":"$sv" \
  /usr/sbin/mysqld \
  --basedir=/usr \
- --datadir=$home \
+ --datadir=$home/data \
  --plugin-dir=/usr/lib/mysql/plugin \
  --port=3306 \
  --socket=/run/mysqld/sock/"$sv" \
diff --git a/vm_hosted b/vm_hosted
index 134b539..806face 100755
--- a/vm_hosted
+++ b/vm_hosted
@@ -717,28 +717,66 @@ rule_mysql_configure () {
 	 --disabled-password \
 	 --group \
 	 --home /home/mysql/data \
+	 --no-create-home \
 	 --shell /bin/false \
 	 --system
 	sudo usermod --home /home/mysql mysql
 	sudo adduser mysql mysql-data
-	sudo install -m 640 -o mysql -g mysql \
+	sudo install -m 644 -o mysql -g mysql \
 	 "$tool"/etc/mysql/my.cnf \
 	        /etc/mysql/my.cnf
 	sudo install -d -m 751 -o mysql -g mysql \
 	 /home/mysql
-	sudo install -d -m 750 -o mysql-data -g mysql-data \
-	 /home/mysql/data
-	if test ! -d /home/mysql/data
+	if sudo test ! -d /home/mysql/data
 	 then
+		sudo install -d -m 750 -o mysql -g mysql-data \
+		 /home/mysql/data
 		sudo -u mysql mysql_install_db \
 		 --no-defaults \
 		 --datadir=/home/mysql/data
 	 fi
 	sudo service tmpfs restart
 	case $(sudo sv status mysql || true) in
-	 (run:*) sudo sv restart mysql
+	 (''|run:*|*"s, normally up;"*)
+		sudo sv restart mysql
+		case $(sudo inotifywait -e create -- /run/mysqld/sock/) in
+		 ("/run/mysqld/sock/ CREATE mysql")
+			# NOTE:
+			# - ajoute l'accÃ¨s par socket Unix Ã  root
+			# - supprime l'accÃ¨s par mot-de-passe Ã  root
+			# - supprime les bases de donnÃ©es de l'utilisateurice anonyme
+			# - supprime l'utilisateurice anonyme
+			# NOTE: mÃ©mo :
+			#   GRANT USAGE ON *.* TO 'root'@'*' IDENTIFIED WITH auth_socket;
+			#   CREATE USER 'root'@'localhost' IDENTIFIED WITH auth_socket;
+			#   UPDATE mysql.user SET Password='' WHERE user='root';
+			#   DELETE FROM mysql.user WHERE user = 'root' AND host NOT IN ('localhost', '127.0.0.1', '::1');
+			sudo mysql -u root --batch --verbose <<-EOF
+				DELETE FROM mysql.user WHERE user = 'root' and plugin = '';
+				GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED WITH auth_socket;
+				UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='root';
+				DELETE FROM mysql.db   WHERE user = '';
+				DELETE FROM mysql.user WHERE user = '';
+				FLUSH PRIVILEGES;
+				EOF
+			;;
+		 esac
 	 esac
  }
+rule_mysql_db_add () { # SYNTAX: $user $db
+	sudo mysql --batch -u root <<-EOF
+		DROP   DATABASE IF EXISTS $db;
+		CREATE DATABASE $db CHARACTER SET utf8 COLLATE utf8_general_ci;
+		GRANT ALL PRIVILEGES ON $base.* TO '$user'@'localhost' IDENTIFIED WITH auth_socket;
+		FLUSH PRIVILEGES;
+		EOF
+ }
+rule_mysql_user_add () { # SYNTAX: $user
+	sudo mysql --batch -u root <<-EOF
+		DROP   USER '$user'@'localhost';
+		CREATE USER '$user'@'localhost' IDENTIFIED WITH auth_socket;
+		EOF
+ }
 rule_network_configure () {
 	sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
 		$vm
@@ -1137,7 +1175,7 @@ rule_procmail_configure () {
 	 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
 	        /etc/skel/etc/mail/delivery.procmailrc
  }
-rule_runit_configure () {
+rule_runit_configure () { # SYNTAX: $service
 	rule apt_get_install runit
 	local -; set +f
 	for sv in ${1-/etc/service/*}
-- 
2.20.1