Web Apps with Tiger: Security and MySQL
Pages: 1, 2
Installing MySQL, the Database Server
Most popular web apps require some sort of database back end, and there are two major open source players: MySQL ("My Ess-Que-Ell") and PostgreSQL ("Postgres Que-Ell"). Which one is "best" is as embroiled a flame war as any other. Some applications work only with MySQL, some only PostgreSQL, some both, some in between. The ones we'll be exploring throughout this series are generally tested and developed with MySQL, and the popular web acronym "LAMP," or "Linux + Apache + MySQL + PHP/Perl/Python," asserts MySQL's popularity.
At the time of this writing, the recommended version of MySQL is 4.1.13. Head on over to their download pages, scroll nearly all the way to the bottom, and choose the "Standard" version of the "Installer package (Mac OS X v10.4)." The "Debug" and "Max" versions are special builds that aren't necessary for our needs. Once the .dmg has finished downloading, mount it as usual and double-click the .pkg that reads "mysql-standard-4.1.13-" blah-blah-blah.
Once this .pkg is finished, you'll have a complete MySQL installation in /usr/local/mysql. Next, double-click the other .pkg in the archive: the MySQLStartupItem. This, oddly, ensures that MySQL will load every time your machine restarts. Nothing too exciting for that install either, which leaves us with the MySQL.prefPane. This Preference Pane gives us a cute little GUI to start-and-stop MySQL manually, which is something we'll rarely need to do. To install for just your user, drag it into ~/Library/PreferencePanes; for every user on your machine, use /Library/PreferencePanes.
Tweaking the Shell and Securing MySQL
The easy part is finished: MySQL is installed. Now we have to worry about our environment--imagine me waving my hands emphatically at the empty air around me. We're going to fiddle with our shell $PATH, which'll allow us to refer to our newly-installed programs as just mysql or mysql_secure_installation instead of the much more laborious /usr/local/mysql/bin/mysql.
How to do this depends on which shell you're using. The default OS X shell is tsch and its configuration lies in ~/.tcshrc. On the other hand, if you've told Terminal to use bash instead, config tweaks go into ~/.bash_profile. Open (or create) the file that corresponds to your shell.
For tcsh, add the following to ~/.tcshrc:
setenv PATH ${PATH}:/usr/local/mysql/binFor bash, add the following to ~/.bash_profile:
PATH="$PATH:/usr/local/mysql/bin/"Restart Terminal (so that the above changes will take effect) and run the following command: mysql_secure_installation. If everything has gone as intended, a new utility should start (as opposed to an error message about "command not found"). This utility leads us into our conclusion of this part of our series: securing MySQL. The loud intro admonishes:
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
But, honestly, this is a healthy step to use for any MySQL server, whether you're merely setting up a dev box or maintaining a database-driven list of all your "romance" movies. ("Research! I swear!") Thankfully, this script is more than happy to hold your hand throughout the process, and you can follow along with the desired answers and expected output below--I've bolded the places where your input is required.
In order to log into MySQL to secure it, we'll need the current password for the root user. If you've just installed MySQL, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none): OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MySQL root user without the proper authorization. Set root password? [Y/n] y New password: Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] y ... Success! Normally, root should only be allowed to connect from "localhost." This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] y ... Success! By default, MySQL comes with a database named "test" that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] y - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] y ... Success! Cleaning up... All done! If you've completed all of the above steps, your MySQL installation should now be secure.
Grrr... I Wanna Do Sumthin'-Sumthin'!
Sadly, you'll have to wait until the next installment before we get our hands dirty with a real-life, honest-to-goodness web application. These first two articles have focused on the foundation of a production-ready web server, with an eye toward battening down the hatches of PHP and MySQL. And, as the tired cliche goes, it is only with a good and strong foundation that we can build something magical. As before, if you have specific web applications or features you'd like to see covered in this series, or questions about the tweaking of MySQL and PHP, don't hesitate to leave a comment below.
Kevin Hemenway is the coauthor of Mac OS X Hacks, author of Spidering Hacks, and the alter ego of the pervasively strange Morbus Iff, creator of disobey.com, which bills itself as "content for the discontented."
Return to the Mac DevCenter
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 17 of 17.
-
a little more bluntly for noobs would be appreciated . . .
2009-08-02 15:12:11 gentooq [Reply | View]
-
What version for Intel Macs
2006-10-30 07:31:53 pgflrob [Reply | View]
What version of MySQL is best for Intel Macs?
-
Can not start MySQL
2006-04-11 16:53:55 jsamayoa [Reply | View]
Hello,
Can someone help me. I recently downloaded and installed mysql-standard-5.0.19-osx10.4-powerpc. However, I can not seem to get it to start. I tried restarting as well as the
sudo /Library/StartupItems/MySQLCOM/MySQLCOM start
MySQL still won't start.
What else can I try?
Thanks
-
password update failed ... Why ?
2006-02-05 09:08:28 beel [Reply | View]
trying to change the root password give this answer :
---
/usr/local/mysql-standard-4.1.15-apple-darwin8.2.0-powerpc-64bit/bin/mysql_secure_installation: line 33: mysql: command not found
Password update failed!
---
any idea of what is hapenning ?
(MySQL was running when i tried this) -
password update failed ... Why ?
2006-06-09 07:58:18 pdschmidt [Reply | View]
I had the same error. I'm running Tiger, and didn't see a tcshrc file, but I did change;
/private/etc/csh.login
so now it looks like -
# System-wide .login file for csh(1).
setenv PATH "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/mysql/bin"
so a command will look in the mysql bin last, and everything worked.
-
Can't connect to local MySQL server through socket
2005-11-24 13:03:51 anne001 [Reply | View]
I have the latest Tiger installed. 10.4.3
I followed the instructions in the tutorial (4.1.15) but
mysql_secure_installation
gives an error
Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)
and it returns to asking for a password.
the various emails talk about a file my.cnf and setting a path.
-
Can't connect to local MySQL server through socket
2005-11-25 05:05:17 anne001 [Reply | View]
http://docs.info.apple.com/article.html?artnum=301457
solution 1 did not work for me.
solution 2 did not work for me, even with
sudo apachectl restart to get the changes in php.ini to take.
and there is no /var/mysql folder.
-
Can't connect to local MySQL server through socket
2005-11-25 05:11:16 Kevin Hemenway |
[Reply | View]
Are you sure the MySQL server is actually started? Check the MySQL System Preference that was installed - if the server isn't started, then you'll receive this error message. -
Can't connect to local MySQL server through socket
2005-11-26 08:33:35 anne001 [Reply | View]
This is strange. This morning it works. Turning off the computer and rebooting fixed something! -
Can't connect to local MySQL server through socket
2005-11-26 13:25:39 Kevin Hemenway |
[Reply | View]
Yes, since you probably installed the MySQL Startup item, per my instructions, when you rebooted your machine, MySQL started up with everything else. The error before was because MySQL was not actually started per the System Preference.
-
Need Help Please!
2005-11-16 14:10:38 PeterBates [Reply | View]
During the mysql_secure_installation, I get the following error upon entering current password for root (pressing enter for none):
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/mysql/mysql.sock' (2)
Then it just asks for the root password again, (there is not one). This is a fresh install of mysql 4.1.15 on Mac OS 10.4.3 Server, (also fresh install). MySQL is running. What am I doing wrong? -
Need Help Please!
2005-11-16 20:53:47 Kevin Hemenway |
[Reply | View]
MySQL already comes with OS X Server - my articles are focused on non-Server environments. There's a good chance that you're accessing the default Server MySQL, and not the fresh install you've made. If you go to Applications/Server/MySQL Manager, you should be able to fiddle with the default one built into OS X Server. I can't, however, give you further guidance: I've never touched Server, and my articles will continue to be non-Server based.
-
Is this webobjects?
2005-09-06 06:19:12 hauk [Reply | View]
I thought I was going to read an interesting article about apple's webobject (JAVA) framework. Instead I get to read yet another boring 101 article about LAMP minus the L.
Some background:
I read a post somewhere that said "For the obsessively observant, you will notice I am running the tcsh shell." I had no idea what he was talking about, and I am obsessively observant.
So my first pointer is, figure out what shell you are using. I looked around to see if there were an easy way to differentiate. There probably is, but I could not find it. Since I could not find such a method, I decided to ask . . .
scott-penguindreams-us:~ gentoo$ ?
bash: ?: command not found
[scott-penguindreams-us:~] gentoo% ?
tcsh: ?: No match.
by typing a literal question mark (?) at the default prompt and hitting the return. I thought I might get some kind of Help output. As you can see above, what I got was equally useful.
On to the specifics . . . in order to get this good script to run, you must start MySQL. In order to do this, you must assume root. The easiest way to assume root is to type "sudo echo" (without the quotes) at the prompt in Terminal. You will be asked for your root user password. (If you have used root or don't know what I am talking about, here's the word from the horse's mouth - http://support.apple.com/kb/HT1528.)
Because success does not have any overt indicators, here's two examples:
FAILURE
[scott-penguindreams-us:~] gentoo% sudo echoPassword:
Sorry, try again.
Password:
sudo: 1 incorrect password attempt
[scott-penguindreams-us:~] gentoo%
SUCCESS
[scott-penguindreams-us:~] gentoo% sudo echo
Password:
[scott-penguindreams-us:~] gentoo%
There are two ways to start MySQL - the long "I type the path every time" way, and the shorter "I type 'mysql' every time" way. It is your preference as to which you will use, but here are both methods.
Go to the MySQL directory and tell it to run
[scott-penguindreams-us:~] gentoo% cd /usr/local/mysql/bin
[scott-penguindreams-us:local/mysql/bin] gentoo% mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.1.36 MySQL Community Server (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
OR
Just type "mysql" at any Terminal prompt you are at
[scott-penguindreams-us:local/mysql/bin] gentoo% mysqltcsh: mysql: Command not found.
[scott-penguindreams-us:local/mysql/bin] gentoo%
I did that one on purpose because I am sure that there are a number of folks out there who have done this already (just like I did the first 10 or 15 times . . . I learn some things slowly). For all of their prowess, computers are still like children . . . you must tell them what you expect them to do when you yell short commands at them. This is where knowing which shell you are in comes in handy.
There are two possibilities for telling your computer what the short command 'mysql' should do, and the one you should use is shell-dependent. They are:
For bash
echo 'export PATH=/usr/local/mysql/bin:$PATH' >> ~/.bash_profileFor tsch
echo 'setenv PATH /usr/local/mysql/bin:$PATH' >> ~/.tcshrcOnce you have committed this minor act of magic, you may be brief to your heart's content:
[scott-penguindreams-us:local/mysql/bin] gentoo% mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.1.36 MySQL Community Server (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
Now, the coup de grace on this "comment" (I admit it was long, but hopefully helpful to someone). . .
mysql> system mysql_secure_installation;and you are off to the races with the original post. If you follow the recommendations (and I echo the original writer's exhortations that you should), then every subsequent start of MySQL will require credentials, as shown below:
[scott-penguindreams-us:~] gentoo% mysql
ERROR 1045 (28000): Access denied for user 'gentoo'@'localhost' (using password: NO)
[scott-penguindreams-us:~] gentoo% mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.1.36 MySQL Community Server (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>