ESP32で収集したセンサーデータを保存する為にRaspberry PiにMariaDBをインストールしてそこに保存しようと考えていますが、久々にMariaDB(MySqlでも同じですが)をインストールしたのでインストール直後に行うセキュリティ対策をメモして置きます。
STEP1:インストール
MariaDBはRaspberry PiのGUI画面のメニューで
設定>Add/Remove Software
から
「Mariadb」で検索して、
MariaDB database client(metapackage depending on the latest version)
MariaDB database server(metapackage depending on the latest version)
にチェックしてサーバーとクライアントのバイナリインストールができます。
インストール直後にはサーバも起動されているのが確認することができます。(hostnameはiotserverに変更してあります)
pi@iotserver:~ $ systemctl status mariadb.service
* mariadb.service - MariaDB 10.3.23 database server
Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-08-17 13:01:03 JST; 1h 41min ago
Docs: man:mysqld(8)
https://mariadb.com/kb/en/library/systemd/
Main PID: 2268 (mysqld)
Status: "Taking your SQL requests now..."
Tasks: 30 (limit: 2065)
CGroup: /system.slice/mariadb.service
`-2268 /usr/sbin/mysqld
8 17 13:01:06 iotserver /etc/mysql/debian-start[2306]: Phase 6/7: Checking and upgrading tables
8 17 13:01:06 iotserver /etc/mysql/debian-start[2306]: Running 'mysqlcheck' with connection arguments: --socket='/var/run/mysqld/mysqld.sock' --host='localhost' --socket='/var/run/mysqld/mysqld.sock' --host='
8 17 13:01:06 iotserver /etc/mysql/debian-start[2306]: # Connecting to localhost...
8 17 13:01:06 iotserver /etc/mysql/debian-start[2306]: # Disconnecting from localhost...
8 17 13:01:06 iotserver /etc/mysql/debian-start[2306]: Processing databases
8 17 13:01:06 iotserver /etc/mysql/debian-start[2306]: information_schema
8 17 13:01:06 iotserver /etc/mysql/debian-start[2306]: performance_schema
8 17 13:01:06 iotserver /etc/mysql/debian-start[2306]: Phase 7/7: Running 'FLUSH PRIVILEGES'
8 17 13:01:06 iotserver /etc/mysql/debian-start[2306]: OK
8 17 13:01:06 iotserver /etc/mysql/debian-start[2362]: Triggering myisam-recover for all MyISAM tables and aria-recover for all Aria tables
STEP2:インストール直後に行う事
他のサイトでもよく紹介されいる
pi@iotserver:~ $ sudo /usr/bin/mysql_secure_installation
を行ってrootにパスワードの設定を行います。(ルートの新パスワード以外はEnterで進めて問題ありません)
ただ、この状態では
pi@iotserver:~ $ mariadb
ERROR 1698 (28000): Access denied for user 'pi'@'localhost'
pi@iotserver:~ $ mariadb -u root -p
Enter password:
ERROR 1698 (28000): Access denied for user 'root'@'localhost'
pi@iotserver:~ $ sudo mariadb
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 63
Server version: 10.3.23-MariaDB-0+deb10u1 Raspbian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
のようにrootがパスワード無しでログインできてしまいます。これはrootのユーザ認証にunix_socket認証プラグインが使われている為で
MariaDB [(none)]> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mysql]> select host,user,password,plugin from user;
+-----------+------+-------------------------------------------+-------------+
| host | user | password | plugin |
+-----------+------+-------------------------------------------+-------------+
| localhost | root | *A764549B3367FB60049727C812C20114B39D834E | unix_socket |
+-----------+------+-------------------------------------------+-------------+
1 row in set (0.001 sec)
次のSQLコマンドでpluginを無効化します。
MariaDB [mysql]> update user set plugin='' where user='root';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0
MariaDB [mysql]> select host,user,password,plugin from user;
+-----------+------+-------------------------------------------+--------+
| host | user | password | plugin |
+-----------+------+-------------------------------------------+--------+
| localhost | root | *A764549B3367FB60049727C812C20114B39D834E | |
+-----------+------+-------------------------------------------+--------+
1 row in set (0.001 sec)
MariaDB [mysql]> flush privileges;
Query OK, 0 rows affected (0.001 sec)
rootでのログインにパスワードが必須となります。
pi@iotserver:~ $ sudo mariadb
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
pi@iotserver:~ $ mariadb -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 69
Server version: 10.3.23-MariaDB-0+deb10u1 Raspbian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>quit
pi@iotserver:~ $ sudo mariadb -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 72
Server version: 10.3.23-MariaDB-0+deb10u1 Raspbian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>