DescriptionThe purpose of this document is to create a LAMP (Linux/Apache/MySQL/Php) installation on your lab machine. With this in place, we'll also install two common LAMP applications:
- phpMyAdmin: a web app for controlling the MySQL database
- Drupal: a content management system.
- The MySQL installation needs an administrative (root) password to get started. This is an important one, but we will make it so that you, with machine root access, do not have to remember it.
- phpMyAdmin has its own administrative database/user/password; fortunately you do not need to remember this password.
- Drupal also has its own administrative database/user/password which you don't have to remember. Drupal also requires a site administrator login/password, which you do have to remember. I will suggest making the these credentials your machine credentials for simplicity.
Install MySQLHaving a MySQL database will be central to this course. We'll start with this installation first. As of Ubuntu 16.04, the MySQL 5.7 version is in use, which has some significant differences from the 5.5 versions used previously, particularly in the way that user authentication is handled. The installer says it "recommends" a password on installation, but this recommendation should probably be a requirement. Choose a MySQL root password, definitely not your machine login password. You will not need to remember it beyond the initial steps.
MySQL Root Password:
$ sudo apt-get install mysql-client mysql-serverImmediately you're presented with the password entry. Key it in, tab to OK and Enter.
┌────────────────┤ Configuring mysql-server-5.7 ├──────────────────┐ | While not mandatory, it is highly recommended that you set a | | password for the MySQL administrative "root" user. | | | | If this field is left blank, the password will not be changed. | | | | New password for the MySQL "root" user: | | | │This is followed by a confirmation dialog where you reenter the password. Begin by confirming that you can get access the MySQL server as root: │ | | | | <Ok> | └──────────────────────────────────────────────────────────────────┘
$ mysql -u root -p Enter password: MYSQL_ROOT_PASSNow you want to securely store and use this password so that you don't want to have to remember it. Create the file (as root):
[client] user=root password="MYSQL_ROOT_PASS"select
MySQL Root Password:
$ sudo su # mysqlor,
$ sudo -H mysqlUsing this .my.cnf in the home directory implies:
if any MySQL client programs is executed, such as mysql, mysqldump, etc., then use the user and password provided.It's most secure to make this usable only by the machine's root user. To do password-less root access in this way, you must either run a root shell, or use "sudo -H" which correctly sets HOME directory. Prove this to yourself by comparing:
$ sudo printenv | grep HOME $ sudo -H printenv | grep HOME
$ sudo apt-get install \ apache2 php libapache2-mod-php php-cli php-mysql php-cgi \ php-curl php-json php-mcrypt php-apcu php-gd php-xml \ php-mbstring php-gettextApache itself can execute in one of two modes:
- prefork mode where the child processes each handle a connection
- worker mode where the child processes spawn multiple threads which handle the connections
/var/www/html/index.htmlThe directory /var/www/html is the DocumentRoot as defined in the file:
<VirtualHost *:80> ... DocumentRoot /var/www/html ... </VirtualHost>
/etc/apache2/ configuration root /etc/apache2/apache2.conf main config file /etc/apache2/conf-available/ available config files /etc/apache2/conf-enabled/ enabled statup files /etc/apache2/mods-available/ available config files for modules /etc/apache2/mods-enabled/ enabled config files for modules /etc/apache2/sites-available/ available site definitions /etc/apache2/sites-enabled/ enabled site definitions /etc/init.d/apache2 apache control script /usr/sbin/apachectl actual apache binary file /usr/lib/apache2/ apache modules /var/log/apache2/ apache Log filesThe relationship between the directories
"*-enabled/" and "*-available/"is that each ".conf" and/or ".load" file in an "*-enabled/" directory is a symbolic links to an actual file in the "*-available/" directory. Verify this by:
$ ll /etc/apache2/conf-enabled $ ll /etc/apache2/mods-enabledWhen Apache is restarted or reloaded, it automatically uses everything in an "*-enabled/" directory. This diagram of loading configuration files is in the top comment section of /etc/apache2/apache2.conf:
# /etc/apache2/ # |-- apache2.conf # | `-- ports.conf # |-- mods-enabled # | |-- *.load # | `-- *.conf # |-- conf-enabled # | `-- *.conf # `-- sites-enabled # `-- *.confUbuntu provides special commands to control the enabling/disabling of the features specified by these executables:
a2enconf apache2 enable a conf file a2disconf apache2 disable a conf file a2enmod apache2 enable a module a2dismod apache2 disable a module a2ensite apache2 enable a site a2dissite apache2 disable a siteThe enablers simply create links from the "*-available/" directory to the corresponding "*-enabled/" directory. The disablers remove these links.
Apache service, error log, config testThe Apache service is one which needs to be "reset" often because of configuration changes. Control the Apache server is done as a SysV service:
$ sudo service apache2 [ status | start | stop | restart | reload | etc. ]The service call is actually a convenience for calling the actual service manager, systemctl. Here is what is actually used:
$ sudo systemctl [ same choices ] apache2.serviceThe reload feature is generally preferred to restart because it does not actually stop the server and therefore can be done without affecting web users. You can get usage information by running "service apache2." If something goes wrong, the first place to look is usually this log file:
/var/log/apache2/error_logThis error log file is readable by you, a system admin, without invoking sudo. Often a useful thing to do is to "follow the tail" of this file as messages are generated with using the "tail -f" command:
$ tail -f /var/log/apache2/error_logIf you make a configuration change, you can test its effectiveness by running this prior to attempting to reset the service.
$ sudo apachectl configtestWhen you run this, you'll see a complaint about unknown ServerName. It can be ignored, but we'll fix it later.
http://localhost/~LOGINUser directories are not enabled by default. To enable the Apache userdir module by:
$ sudo a2enmod userdir $ sudo service apache2 reloadThe first command, as indicated above, simply creates a symbolic link. Check it yourself:
$ ll /etc/apache2/mods-enabled/userdir.* /etc/apache2/mods-enabled/userdir.conf -> ../mods-available/userdir.conf /etc/apache2/mods-enabled/userdir.load -> ../mods-available/userdir.loadHere is the content of the files:
<IfModule mod_userdir.c> UserDir public_html UserDir disabled root <Directory /home/*/public_html> AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec <Limit GET POST OPTIONS> Require all granted </Limit> <LimitExcept GET POST OPTIONS> Require all denied </LimitExcept> </Directory> </IfModule>
LoadModule userdir_module /usr/lib/apache2/modules/mod_userdir.so
<IfModule mod_userdir.c> ... </IfModule>
Test the Apache home directoryCreate the web directory and add a test file to it:
$ mkdir -p ~/public_html $ echo "HELLO WORLD" > ~/public_html/hello.htmlTest the effectiveness by activating this URL:
Apache control featuresAs seen in the moduserdir.conf file Apache has a complex set of control features controlling what can and cannot happen to requests to a user web directory. You can track down the documentation for these features through the manual. These are considered core features and one should look in modules → core to find this information: Access Control.
- ordinary file
- symbolic link
- block device
- character device
sSt uuu ggg oooThe 3-bit fields uuu, ggg and ooo stand for the user, group and other (world) permissions, respectively. Each 3-bit field represents the read/write/execute permissions for this resource. The 3-bit field sSt is quite specialized:
- s means setuid: the user id of the process executing the file can become file's user id
- S means setgid: the group id of the process executing the file can become the file's group.
- t means sticky: applied to directories with world-write permissions (anyone can add a file); only the file owner can remove a file added. The best example is the /tmp directory.
$ ls -ld ~/.profile ~/public_html /root /tmp /usr/bin/php \ /usr/bin/passwd /var/run/mysqld/mysqld.sock /dev/sda /dev/null -rw-r--r-- 1 LOGIN LOGIN ... /home/LOGIN/.profile drwxr-xr-x 3 LOGIN LOGIN ... /home/LOGIN/public_html drwx------ 6 root root ... /root/ drwxrwxrwt 5 root root ... /tmp -rwsr-xr-x 1 root root ... /usr/bin/passwd lrwxrwxrwx 1 root root ... /usr/bin/php -> /etc/alternatives/php srwxrwxrwx 1 mysql mysql ... /var/run/mysqld/mysqld.sock brw-rw---- 1 root disk 8, 0 ... /dev/sda crw-rw-rw- 1 root root 1, 3 ... /dev/nullThe initial character gives the file type: regular (-), directory (d), symbolic link (l), block device (b), character device (c), fifo (p), and socket (s). The remaining nine characters of the first field specify the allowable rwx permissions for user, group, and other. A dash (-) replacing the letter means permission is not granted. The specialized "sSt" bits replace "x" bits for user, group, other, resp.
Access Mode for DirectoriesThe read/write/execute permissions are fairly easy to understand for ordinary files, but they have a different interpretation for directories. For a directory,
- the read permission (r) allows its contents to be listed;
- the write permission (w) allows its contents to be altered by adding/deleting/renaming files;
- the execute permission (x) allows access to its contents.
Resource access by a processEvery Linux process has a user id and group id obtained by a system authentication mechanism, most likely from the /etc/passwd file. The resources that a process may access are dictated by
- the process' user and group ids
- the user/group ids and access permissions of all components of the full pathname of that resource
- the user id of the process is the user id of the resource and the resource's uuu has the r bit set.
- the group id of the process is the group id of the resource and the resource's ggg has the r bit set.
- the ooo portion of the mode has the r bit set.
/dir1/dir2/.../lastdir/resourcethen the process must have "pass-through" (x) permission on all directory components
/, /dir1, /dir1/dir2, ..., /dir1/dir2/.../lastdir
Web AccessThe Apache web server runs as the user and group of name www-data, different from you, and (definitely) from root. To understand web accessibility of
$ ls -ld / /home ~ ~/public_html ~/public_html/hello.html drwxr-xr-x 24 root root ... / drwxr-xr-x 4 root root ... /home drwxr-xr-x 26 LOGIN LOGIN ... /home/LOGIN drwxr-xr-x 2 LOGIN LOGIN ... /home/LOGIN/public_html -rw-r--r-- 1 LOGIN LOGIN ... /home/LOGIN/public_html/hello.htmlYou'll see that each of the directories in the path have the necessary "x" permission for all users and that the target file has the necessary "r" permission. We might say the permission on home are actually too permissive:
drwxr-xr-x ... LOGIN LOGIN ... /home/LOGINIf there are multiple users on a system, any other can to read the readable files within your home directory. Better would be this:
drwx--x--- ... LOGIN www-data ... /home/LOGINHowever, the change of group can only be done as root.
File access controlAn alternative is to use user-controllable access control permissions built into modern UNIX-like file systems. Mac OS X makes big usage of these. The main executables are setfacl/getfacl (set/get file access control permissions). Here is an experiment:
$ sudo apt-get install links (a shell based web browser) $ links -dump http://localhost/~LOGIN (display user web home) $ getfacl ~ (default access controls of your home) # file: . # owner: LOGIN # group: LOGIN user::rwx group::--- other::--- $ chmod 700 ~ (close off to other users) $ ls -ld ~ drwx------+ ... LOGIN LOGIN $ links -dump http://localhost/~LOGIN (now permission denied) $ setfacl -m u:www-data:x ~ (allow "x" access to apache user) $ getfacl ~ (default access controls of your home) # file: . # owner: LOGIN # group: LOGIN user::rwx user:www-data:--x group::--- mask::--x other::--- $ ls -ld ~ drwx--x---+ ... LOGIN LOGIN (note the "+" in permissions) $ links -dump http://localhost/~LOGIN (works again)If you wish, you can return to the original state:
$ setfacl -b ~ (clear ACL permissions) $ chmod 755 ~ (set original permissions)
$ sudo touch /etc/apache2/conf-available/local.confPut it into play by:
$ sudo a2enconf localFor convenience make a symbolic link to it in the /etc/apache2 directory:
$ sudo ln -s /etc/apache2/conf-available/local.conf /etc/apache2/As an example of what to do with it, edit it and add the following initial content, fixing the "ServerName missing" issue and allowing extended privileges to you:
ServerName MACHINE <Directory /home/LOGIN/public_html> Options All AllowOverride All </Directory>select
$ sudo service apache2 reload
- as an Apache module (apache)
- as an executable for a CGI-style exectuion (typically FASTCGI) used in non-Apache web servers like Lighttpd, Nginx, IIS (cgi)
- as a command-line program, /usr/bin/php, for script-style programming (cli)
|/etc/php/7.0/X/||X = apache, cgi, cli|
|/etc/php/7.0/X/php.ini||main config file for X|
|/etc/php/7.0/mods-available/||configuration (.ini) files for Php modules|
|/etc/php/7.0/X/conf.d/||added config files for X (symlinks into previous folder)|
|Apache Php module|
|/usr/lib/php/20151012||Php plugin modules|
|/usr/share/php7.0-*||modules .ini file storage|
$ phpenmod $ phpdismodwhich, like the Apache correlates, create symlinks from the .ini files in /etc/php/7.0/mods-available into the corresponding conf.d subdirectories of apache2, cgi and cli. For the most part this linking to all Php versions is done whenever a Php module is installed. The web-based CGI method creates a separate Php process for every server-side invocation, whereas, the Apache module maintains "live" Php processes, presumably avoiding the start-up latency. Nevertheless, the CGI system can have very good performance if enhanced by so-called "FastCGI" technology which caches the executable code created from Php invocations.
Permitting Php execution in user directoriesUbuntu distributions make it so that an extra step must be taken to enable Php for user directories. You have to edit the file:
... # Running PHP scripts in user directories is disabled by default # # To re-enable PHP in user directories comment the following lines # (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it # prevents .htaccess files from disabling it. <IfModule mod_userdir.c> <Directory /home/*/public_html> php_admin_value engine Off </Directory> </IfModule>
#<IfModule mod_userdir.c> # <Directory /home/*/public_html> # php_admin_value engine Off # </Directory> #</IfModule>
$ sudo service apache2 reloadTest the effectiveness by creating a simple Php file in your home site as follows:
<?php echo "Hello from Php";select
/var/lib/mysql/ MySQL database files (mysql or root only) /var/lib/mysql/mysql/ main administrative database /etc/mysql/ configuration files /var/run/mysql/ socket file, PID fileBy default, MySQL listens on port 3306 for client requests, but it also listens on a dedicated UNIX socket file to provide more efficient service from local clients. The MySQL service, unlike Apache, is an Upstart service, meaning that we can use restart and/or reload as commands (the service command works too), e.g.:
$ sudo restart mysqlUnlike Apache, we almost never need to do this, because administrative changes are all done in the mysql administrative database which can be manipulated through a MySQL client executable. The MySQL client installation provides a number of useful shell commands to manipulate its databases, including:
mysql: command line interpreter for manipulating database mysqladmin: basic administration commands mysqldump: dump the contents of table(s) in a database mysqlshow: show table/fields in a databaseYou can see the entire set of choices from the shell using tab completion by doing:
$ mysql[TAB][TAB]For example, try these commands:
$ sudo -H mysqlshow (all databases) $ sudo -H mysqlshow mysql (all tables in mysql) $ sudo -H mysqlshow mysql user (description of user table) $ sudo -H mysql mysql> show databases; mysql> use mysql; mysql> show tables; mysql> describe user; mysql> quit $ mysqldump (synopsis) $ mysqladmin (synopsis)
Backup and reloadThe mysql commands provide an excellent scheme by which a database can be "backed up" and then "reloaded". Do the backup like this:
$ sudo -H mysqldump somedb > somedb.sqlThe somedb.sql file contains the data in all the tables plus the commands needed to recreate these tables. After creating the somedb database, the restoration can be done like this:
$ sudo -H mysql somedb < somedb.sql
MySQL access principles (simplified)The MySQL is a network-oriented DBMS listening on port 3306. Client programs may reside on different hosts than the server. The access rights of MySQL client to a MySQL DBMS database is determined by three key factors:
- the user specified by the client
- the host on which the client operates
- the database that the client is trying to access
- user table. This pair is matched
(host,user)If the password field is non-empty the client must provide a matching password. The remaining fields represent boolean "global privileges" which are given to the client in that they can be used to access any database. For the most part, non-root uses gain no privileges in these fields and root gains all privileges.
- host table. This pair is matched:
(host,database)thereby augmenting the privileges available to the client when accessing from this host.
- db table. This triple is matched.
(host,database,user)therefore further augmenting the privileges available to the client as this particular database. The db table is the most common place where privileges are assigned for non-root users since it is the most specific to the database.
$ sudo apt-get install phpmyadminThis installation is the most involved one so far, because it requires creation of MySQL user and databases. Here are the configuration steps:
You are presented with the "Configuring phpmyadmin" screen requesting
the web server that should be automatically configured to run phpMyAdmin.
Tab to "apache2", press the SPACE BAR to select it:
[*] apache2 [ ] lighttpd <Ok>Tab to "OK", press ENTER. The second choice, lighttpd is not installed (yet). You can always go back and reconfigure the installation to pick up changes by:
$ sudo dpkg-reconfigure phpmyadmin
- Next the installer wants to create and configure a database by dbconfig-common. The Yes choice is already selected, just press ENTER.
Next, you need an password for the phpmyadmin user:
Any password is OK, just remember it for the next confirmation step.
You never need to use it.
Password confirmation: repeat password entry. Again:
$ sudo apt-get purge phpmyadminSay yes to deleting everything possible. Then start again.
Relevant filesIt is useful to know just what files are affected by an installation. One way to discover this information is like this:
$ dpkg -L phpmyadminThis rarely tells the whole story because an installation will often kick in other package installations along with post-installation additions. Here are the key files for phpmyadmin:
- The directory /etc/phpmyadmin: usually the starting point for configuration changes.
- The direcory /usr/share/phpmyadmin contains the bulk of the code for running phpMyAdmin.
The Apache config file:
/etc/apache2/conf-available/phpmyadmin.conf, a symlink to
/etc/phpmyadmin/apache.conf. The main access code specified within this file is
Alias /phpmyadmin /usr/share/phpmyadmin <Directory /usr/share/phpmyadmin> Options FollowSymLinks DirectoryIndex index.php <IfModule mod_php.c> <IfModule mod_mime.c> AddType application/x-httpd-php .php </IfModule> <FilesMatch ".+\.php$"> SetHandler application/x-httpd-php </FilesMatch> php_flag ... php_admin_flag ... ... </IfModule> ... </Directory>
- The file /etc/dbconfig-common/phpmyadmin.conf contains database configuration information for phpMyAdmin. In particular, this file stores the phpmyadmin user password. All files in /etc/dbconfig-common are root-only readable since they store passwords and other sensitive information.
Log in as root and observephpMyadmin or other MySQL GUI clients serve well to help educate us about the MySQL database structure. All the information could be obtained through the simple mysql client, but you have to know a lot more about how to get it. Use this link in a browser:
Username: root Password: -the-MySQL-root-password-On the left you should see these databases:
information_schema mysql performance_schema phpmyadmin sysThe phpmyadmin database is used for managing phpMyAdmin itself. The others are standard MySQL database; for example, the information_schema database is read-only, holding "meta" information about the actual databases. The key one is the administrative mysql database. Choose the mysql database on the left to reveal all the tables within it. Locate the user table at the bottom; select that one and try to understand the table content. Compare the root and phpmyadmin users. The fields Select_priv, ..., Create_tablespace_priv indicate what a user can do to any table. The root user has "Y" in all these and so can do anything to any table. In contrast, the phpmyadmin user has "N" in all these and so can do nothing to any table based on these fields. Scrolling right toward the end we see the fields plugin, ..., account_locked which specify authentication and account access. In particular these 2 are the basis for authentication:
plugin: encryption mechanism authentication_string: encrypted passwordThe second most important table is db. Look at the entry:
User: phpmyadmin Db: phpmyadminExcept for Grant_priv all privilege columns have "Y", indicating that this user can do everything to this database except grant access to other users.
8.1.2Make necessary adjustments if the downloaded version differs. Everything we do is through a root shell where initiated from your home directory:
$ cd $ sudo su #
Database preparationWe need a database dedicated to Drupal. Like phpMyAdmin, it's not necessary to remember this database password, but you have to remember it until the installation is complete. Choose a Drupal user database password:
Drupal DB Password:
# mysql mysql> create database drupal; mysql> create user drupal@localhost identified by 'DRUPAL_DB_PASS'; mysql> grant all on drupal.* to drupal@localhost; mysql> quit
Begin installationExtract the downloaded archive and move it into place, renaming the folder. We are assuming you're still in your home directory and the archives are in the ~/Downloads folder, do one of these (double-check the version in use):
# unzip Downloads/drupal-8.1.2.zip --- or --- # tar xzf Downloads/drupal-8.1.2.tar.gzThen move it into place renaming the folder MACHINE_drupal. Please use exactly this name.
# mv drupal-8.1.2 /var/www/html/MACHINE_drupal # cd /var/www/html/MACHINE_drupalThe installation is driven by browser interaction. Open a browser to the site:
http://localhost/MACHINE_drupal/core/install.phpIt reveals the 6 steps. The first two are easy:
Click Save and Continue Select an installation profile Standard.
Save and Continue
Click Save and Continue Select an installation profile Standard.
Save and Continue
Fix requirement problemsThe next step, Verify Requirements, takes the most effort. We want to satisfy one requirement problem at a time in order to appreciate what is going on. After each step, refresh the browser to see the change.
First enable Apache rewrite module:
# a2enmod rewriteFor performance reasons, we want to make the .htaccess file a server-loaded config file. The goal is to create and activate this config file:/etc/apache2/conf-available/drupal.conf
<Directory /var/www/html/MACHINE_drupal> THE CONTENTS OF .htaccess </Directory>
# cat <<END >| /etc/apache2/conf-available/drupal.conf <Directory /var/www/html/MACHINE_drupal> END # cat .htaccess >> /etc/apache2/conf-available/drupal.conf # cat <<END >> /etc/apache2/conf-available/drupal.conf </Directory> END
# gedit /etc/apache2/conf-available/drupal.confThen put it into effect by:
# a2enconf drupal # service apache2 reloadRefresh the browser to see the effect. The "Clean URLs" message should disappear.
We have to create a folder and make it Apache-writable:
# mkdir sites/default/files # setfacl -m g:www-data:rwx sites/default/filesRefresh the browser to see the effect. The "File System" message should disappear.
Settings file (1)
We have to create a settings configuration file.
# cp sites/default/default.settings.php sites/default/settings.phpRefresh the browser to see the effect. The "Settings file" message should change.
Settings file (2)
Now it says we have to make this newly-created file Apache-writable.
# setfacl -m g:www-data:rw sites/default/settings.phpRefresh the browser to see the effect. All requirement problems have been dealt with.
Configure DatabaseThe next step is Set up database. This is the last place where you need to know the drupal database password. Substitute your actual password.
Database name:Click: Save and Continue Now it goes through Installing Drupal. There's nothing to do but wait. While you wait, you can "forget" the drupal database password:
Drupal DB Password:
Configure SiteWe'll deal with the opening message about removing write privileges later. You have to create a site maintenance account with login/password. Unfortunately, you have to remember these credentials. I am suggesting that you use your machine login and password, which will be encrypted in the drupal database. Of course, use what you like.
Remove Write PermissionsThe message reported previously is reported again:
All necessary changes to sites/default and sites/default/settings.php have been made, so you should remove write permissions to them now in order to avoid security risks....Refresh the browser to make the warning message disappear. Because of the way we've used the ACL's, there actually is little risk that system other users (if there were any) could do any harm. Nevertheless, this final step secures the file for root-only access:
# setfacl -b sites/default/settings.php
Create a "hello world" postYou're already logged in as admininstrator; however, log out and back in to test this feature.
- Click Home and the Add Content link below "No front page content has been created yet."
- Select Basic Page.
Create Basic Page (make the content as you like):
On the right (or below), select PROMOTION OPTIONS and check:
Promoted to front page.
- Click Save and Publish.
- Click Home. Then Log out to see your page.
LocalForward 2003 MACHINE:80Activate the tunnel from your client machine, either through PuTTy or from a shell via:
$ ssh MACHINE_tunnelOnce activated, you should be able to access both sites that we have created:
NEW_ROOT_PASSThe convoluted procedure, taken from online MySQL docs, is specific to MySQL versions 5.7.6 and above.
$ sudo service mysql stop
Start MySQL in a novel way:
$ sudo mysqld_safe --skip-grant-tables &Hit Enter to get the shell prompt back.
Starting MySQL in the way we did, authentication is not observed, so you can go in as you.
$ mysql mysql> flush privileges; mysql> alter user root@localhost identified by 'NEW_ROOT_PASS'; mysql> quit
Kill the running mysqld process:
$ sudo killall mysqldWait for output dump confirmation and hit Enter to get the shell prompt back.
Restart MySQL and verify password:
$ sudo service mysql start $ mysql -u root -pNEW_ROOT_PASS
Edit /root/.my.cnf, make the password change and verify:
$ sudo -H mysql mysql>