The securemysql Script
Valid for versions 82 through the latest version
Version:
82
Last modified: June 3, 2024
Looking for this interface?
Your hosting provider can enable or disable this interface for resellers in WHM's Edit Reseller Nameservers and Privileges interface (WHM >> Home >> Resellers >> Edit Reseller Nameservers and Privileges).
Overview
The /usr/local/cpanel/scripts/securemysql
script secures a cPanel account’s MySQL® configuration. To do this, the script performs the following actions:
-
Confirms that MySQL’s
root
password exists. -
Changes the
var/db/mysql
andvar/lib/mysql
directories’ ownership to themysql
user. -
Removes the
anonymous
and remoteroot
users. -
Removes the test database.
-
Removes the database’s
LOCK TABLES
andTMP TABLES
privileges.
To undo any changes that this script performs, create the /etc/securemysqldisable
touch file.
Run the script
To use this script, run the following command as the root user:
/usr/local/cpanel/scripts/securemysql [arguments] [actions]
Arguments
The /usr/local/cpanel/scripts/securemysql
script accepts the following arguments:
-
-a
— Specify additional actions in a comma-separated list. For example:-a removeanon, removeremoteroot
Note:To perform all actions on a MySQL database, pass the
-a
argument without any additional actions. -
-F
— Execute the script and do not display the help text. -
-h
— Display the help message. -
-q
— Execute the script in silent mode.
Actions
You can specify any of the following options in a comma-separated list with the -a
argument:
-
chowndatadir
— Change the MySQL data directory owner to themysql
user. -
removeanon
— Remove any anonymous MySQL users. -
removehordeallhosts
— Remove insecure Horde login credentials and privileges.Note:cPanel & WHM uses SQLite databases to store MySQL user data instead of Horde databases.
-
removehordeblankpass
— Remove Horde database users that possess blank login passwords.Note:cPanel & WHM uses SQLite databases to store MySQL user data instead of Horde databases.
-
removelockntmp
— Remove globalLOCK TABLES
permissions and createTMP TABLES
privileges. -
removepublicgrants
— Remove default privileges for MariaDB users.Note:In MariaDB 10.11 and later, MariaDB automatically creates a
test
database and grants users all privileges for it and any database whose name starts withtest_
. This action removes these privileges, preventing potential security concerns. -
removeremoteroot
— Remove remoteroot
user login privileges. -
removetestdb
— Remove test database.