Results 1 to 20 of 20
Thread: cpanel mysql (lack of) security
-
04-22-2003, 10:00 PM #1Aspiring Evangelist
- Join Date
- Oct 2002
- Location
- Tel-Aviv, Israel
- Posts
- 436
cpanel mysql (lack of) security
Let me get this straight, Cpanel in the default install, put mysql with no password for the root user and no one cries OMG!! ?
btw, to repair: mysqladmin -u root password 'Newpass'Last edited by rcs; 04-22-2003 at 10:16 PM.
Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."
-
04-22-2003, 11:51 PM #2Web Hosting Master
- Join Date
- Apr 2000
- Posts
- 1,714
The WHM setup walkthrough has as one of its steps the setting of the mySQL root pass by the user. Those who decide to skip the walkthrough (as we do) can simply set a password through several different methods before releasing the server into production. Those who fail to set one through any of the means presented have attention to detail issues - but that isn't a cPanel problem.
-
04-23-2003, 12:05 AM #3Web Hosting Master
- Join Date
- Apr 2002
- Location
- USA
- Posts
- 5,783
Anyone who has a server should know how to set up a root password for MySql in WHM or know that to do this is part of the normal deployment of a box before putting customers on it.
I do not see how this is a cpanel problem any more than the other things you should be doing to secure a box before deploying it for the first time are a linux or Apache problem.
-
04-23-2003, 01:56 AM #4Web Hosting Evangelist
- Join Date
- Sep 2000
- Location
- NY
- Posts
- 493
I have notice alot of people just hit FINSHED
then attempt to maually do it, without the steps
SO hence forth you will see this issue-----My wife said it was ok----
-
04-23-2003, 04:10 AM #5Web Hosting Master
- Join Date
- Jul 2002
- Location
- Missouri
- Posts
- 2,504
I don't see the big deal. You should set everything up before dumping clients on to a machine.
What does one host say to the other? "(HostA) Want to go see a movie?" "(HostB) Sure, can your parents drive?"
I'm premium, and no, I did not have to pay $6 a month to figure that out.
-
04-23-2003, 04:47 AM #6Web Hosting Master
- Join Date
- Sep 2002
- Location
- Earth
- Posts
- 2,533
rcs do you think /bandwidth/ is a problem also??
You need to lock things down
-
04-23-2003, 10:46 AM #7Aspiring Evangelist
- Join Date
- Oct 2002
- Location
- Tel-Aviv, Israel
- Posts
- 436
unless cpanel specificly say "mysql server is installed with no root password and you should change it" then it's their problem (too). They only say " You can set, and change, your MySQL root password at any time. It is recommended that you change your root password often."
Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."
-
04-23-2003, 11:28 AM #8Web Hosting Master
- Join Date
- Jan 2003
- Location
- Lake Arrowhead, CA
- Posts
- 789
And they should also put labels on circular saw blades telling children not to use them as frisbees!
No offense intended to anyone, but too much handholding in almost any situation tends to allow people with less experience to get into deeper waters (and potentially deeper trouble) faster than they might otherwise. If a host/tech can't be bothered to read documentation and follow instructions, should they even be offering mySQL at all?http://www.srohosting.com
Stability, redundancy and peace of mind
-
04-23-2003, 12:03 PM #9Junior Guru Wannabe
- Join Date
- Mar 2003
- Location
- Fairfax, CA
- Posts
- 52
How is it a problem?
If I set my box to have no mysql password, then log on as root, I can run mysql monitor.
But if I log on as any other user and attempt to run mysql, it refuses to run.
In applications, as a user I create a mysql database, and create a mysql user and mysql passcode for that user, then grant that user some permissions. But I only have access to the database I've created.
It's not clear to me where the danger lies with mysql not having a password. My natural impulse is to have it 'password protected', but so far I cannot see where the passcode protects it.
For sure, there's plenty about which I am way too ignorant.
And that's why I ask here, of people who know more. And this is the question --
What exactly is the vulnerability of mysql running without a root mysql password?-- Arthur Cronos from Voltos
=============================================================
The Bloggard, Un Hombre Blogisto -- http://www.bloggard.com
Your loch ness monster, your yeti, your bigfoot. Bah! I've seen worse.
=============================================================
-
04-23-2003, 12:08 PM #10Aspiring Evangelist
- Join Date
- Oct 2002
- Location
- Tel-Aviv, Israel
- Posts
- 436
any user can access the database as root. (if YOU can't doesn't mean someone who knows what's he doing can't (no disrespect))
Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."
-
04-23-2003, 12:09 PM #11Web Hosting Master
- Join Date
- May 2001
- Location
- Dayton, Ohio
- Posts
- 4,977
Originally posted by rcs
unless cpanel specificly say "mysql server is installed with no root password and you should change it" then it's their problem (too). They only say " You can set, and change, your MySQL root password at any time. It is recommended that you change your root password often."
If an admin doesn't know to setup a MySQL root pass, then they shouldn't be working on the server at all
This is why we have fly-by-night hosting companies that don't know general server administration...
-
04-23-2003, 12:28 PM #12Aspiring Evangelist
- Join Date
- Oct 2002
- Location
- Tel-Aviv, Israel
- Posts
- 436
I guess we can argue about this forever, but it is my impression that cpanel (or any other control panel) was build to easy the administratoin tasks for non-technical people. so why would a non technical cpanel owner have any idea about mysql passwords?
Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."
-
04-23-2003, 12:48 PM #13Web Hosting Master
- Join Date
- Apr 2002
- Location
- USA
- Posts
- 5,783
Originally posted by rcs
I guess we can argue about this forever, but it is my impression that cpanel (or any other control panel) was build to easy the administratoin tasks for non-technical people. so why would a non technical cpanel owner have any idea about mysql passwords?
Power steering was added to cars to make them easier to drive does not mean it steers the car for you.
-
04-23-2003, 12:53 PM #14Aspiring Evangelist
- Join Date
- Oct 2002
- Location
- Tel-Aviv, Israel
- Posts
- 436
Originally posted by Monte
Power steering was added to cars to make them easier to drive does not mean it steers the car for you.Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."
-
04-23-2003, 12:59 PM #15Web Hosting Master
- Join Date
- Jul 2002
- Location
- Missouri
- Posts
- 2,504
True, however if you were a race car mechanic you'd check that out before you let the driver in the car.
A normal person buying a car (a non-technical guy trying to run a machine) isn't going to run a scan on the box for common security holes (or faulty setups) like a mechanic would do to a car....
No comparison really.What does one host say to the other? "(HostA) Want to go see a movie?" "(HostB) Sure, can your parents drive?"
I'm premium, and no, I did not have to pay $6 a month to figure that out.
-
04-23-2003, 01:02 PM #16Web Hosting Guru
- Join Date
- Jan 2003
- Posts
- 261
yet no one would give you a power steering wheel with a pin missing, saying "we recommand you put the pin in". The least they would have say is "there's no pin in the wheel. you need to put it in or else you'll drive off the road"
----------
Wow... you come up with some strange analogies (that don't make much sense). Servers DO NOT come 100% secure by default... thats why you hire admins. If it were as easy as you seem to want it then a 3rd grader (maybe even a monkey) could run a webhosting business and click the pretty buttons all day. Web appliances make the routine tasks easier by providing a GUI as opposed to doing everything by the command line. You should still know what you are doing and have an understanding of how everything works. If you take things for granted and expect everything to come with already secure passwords for you then its time to wake up and smell the coffee... not to mention get out of the hosting business because when your server gets hacked and is used in a DDoS attack you are not going to be very popular.
-
04-23-2003, 01:07 PM #17Web Hosting Master
- Join Date
- Apr 2002
- Location
- USA
- Posts
- 5,783
Originally posted by rcs
yet no one would give you a power steering wheel with a pin missing, saying "we recommend you put the pin in". The least they would have say is "there's no pin in the wheel. you need to put it in or else you'll drive off the road"
If you install MySQL without a CP does it set the password for you? Cpanel when installed on a server has to be set up just like any piece of software if you can't read the docs or do not understand how to set it up then you suffer the consequences.
-
04-23-2003, 09:10 PM #18Web Hosting Master
- Join Date
- Apr 2001
- Posts
- 2,611
This is just discusting! cPanel isn't meant to replace an admin, nor should it be. Its meant to make managing clients easier, and it has a few added tools to help make admining easier. Just because cpanel doesn't completely lock down your box for you, doesn't mean you can brush off the crap on them. Get an admin, or get out of the business!
-
04-23-2003, 09:25 PM #19Web Hosting Master
- Join Date
- Apr 2001
- Location
- Palm Beach, FL
- Posts
- 1,097
Re: cpanel mysql (lack of) security
Originally posted by rcs
Let me get this straight, Cpanel in the default install, put mysql with no password for the root user and no one cries OMG!! ?
Don't blame Cpanel for something Cpanel is not really at fault for.
Control panels don't replace admins. They are simply a tool for an admin. People in general need to realize that.Alex Llera
Professional Server Management
FreeBSD|Linux|HSphere|Cpanel|Plesk
-
04-23-2003, 09:32 PM #20Web Hosting Master
- Join Date
- Sep 2002
- Location
- Earth
- Posts
- 2,533
Wow what a thread