Last modified: February 22, 2024

Overview

The /usr/local/cpanel/scripts/securemysql script secures a cPanel account’s MySQL® configuration. To do this, the script performs the following actions:

• Confirms that MySQL’s root password exists.

• Changes the var/db/mysql and var/lib/mysql directories’ ownership to the mysql user.

• Removes the anonymous and remote root users.

• Removes the test database.

• Removes the database’s LOCK TABLES and TMP TABLES privileges.

To undo any changes that this script performs, create the /etc/securemysqldisable touch file.

Run the script

To use this script, run the following command as the root user:

/usr/local/cpanel/scripts/securemysql [arguments] [actions]

Arguments

The /usr/local/cpanel/scripts/securemysql script accepts the following arguments:

• -a — Specify additional actions in a comma-separated list. For example:

  -a removeanon, removeremoteroot

  Note:

  To perform all actions on a MySQL database, pass the -a argument without any additional actions.

  For a list of additional actions, view the Actions section below.

• -F — Execute the script and do not display the help text.

• -h — Display the help message.

• -q — Execute the script in silent mode.

Actions

You can specify any of the following options in a comma-separated list with the -a argument:

• removeanon —Remove any anonymous MySQL users.

• removetestdb — Remove test database.

• removelockntmp — Remove global LOCK TABLES permissions and create TMP TABLES privileges.

• removeremoteroot — Remove remote root user login privileges.

• removehordeallhosts — Remove insecure Horde login credentials and privileges.

  Note:

  cPanel & WHM uses SQLite databases to store MySQL user data instead of Horde databases.

• removehordeblankpass — Remove Horde database users that possess blank login passwords.

  Note:

  cPanel & WHM uses SQLite databases to store MySQL user data instead of Horde databases.