The securemysql Script

Valid for versions 82 through the latest version

Version:

82

Last modified: June 3, 2024


Overview

The /usr/local/cpanel/scripts/securemysql script secures a cPanel account’s MySQL® configuration. To do this, the script performs the following actions:

  • Confirms that MySQL’s root password exists.

  • Changes the var/db/mysql and var/lib/mysql directories’ ownership to the mysql user.

  • Removes the anonymous and remote root users.

  • Removes the test database.

  • Removes the database’s LOCK TABLES and TMP TABLES privileges.

To undo any changes that this script performs, create the /etc/securemysqldisable touch file.

Run the script

To use this script, run the following command as the root user:

/usr/local/cpanel/scripts/securemysql [arguments] [actions]

Arguments

The /usr/local/cpanel/scripts/securemysql script accepts the following arguments:

  • -a — Specify additional actions in a comma-separated list. For example:

    -a removeanon, removeremoteroot
    Note:

    To perform all actions on a MySQL database, pass the -a argument without any additional actions.

    For a list of additional actions, view the Actions section below.

  • -F — Execute the script and do not display the help text.

  • -h — Display the help message.

  • -q — Execute the script in silent mode.

Actions

You can specify any of the following options in a comma-separated list with the -a argument:

  • chowndatadir — Change the MySQL data directory owner to the mysql user.

  • removeanon — Remove any anonymous MySQL users.

  • removehordeallhosts — Remove insecure Horde login credentials and privileges.

    Note:

    cPanel & WHM uses SQLite databases to store MySQL user data instead of Horde databases.

  • removehordeblankpass — Remove Horde database users that possess blank login passwords.

    Note:

    cPanel & WHM uses SQLite databases to store MySQL user data instead of Horde databases.

  • removelockntmp — Remove global LOCK TABLES permissions and create TMP TABLES privileges.

  • removepublicgrants — Remove default privileges for MariaDB users.

    Note:

    In MariaDB 10.11 and later, MariaDB automatically creates a test database and grants users all privileges for it and any database whose name starts with test_. This action removes these privileges, preventing potential security concerns.

  • removeremoteroot — Remove remote root user login privileges.

  • removetestdb — Remove test database.

Additional Documentation