Results 1 to 20 of 20
  1. #1
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    436

    cpanel mysql (lack of) security

    Let me get this straight, Cpanel in the default install, put mysql with no password for the root user and no one cries OMG!! ?

    btw, to repair: mysqladmin -u root password 'Newpass'
    Last edited by rcs; 04-22-2003 at 10:16 PM.
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  2. #2
    The WHM setup walkthrough has as one of its steps the setting of the mySQL root pass by the user. Those who decide to skip the walkthrough (as we do) can simply set a password through several different methods before releasing the server into production. Those who fail to set one through any of the means presented have attention to detail issues - but that isn't a cPanel problem.
    Annette
    Hosting Matters, Inc.
    Superior service. Sensible price.

  3. #3
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,783
    Anyone who has a server should know how to set up a root password for MySql in WHM or know that to do this is part of the normal deployment of a box before putting customers on it.

    I do not see how this is a cpanel problem any more than the other things you should be doing to secure a box before deploying it for the first time are a linux or Apache problem.

  4. #4
    Join Date
    Sep 2000
    Location
    NY
    Posts
    493
    I have notice alot of people just hit FINSHED

    then attempt to maually do it, without the steps

    SO hence forth you will see this issue
    -----My wife said it was ok----

  5. #5
    Join Date
    Jul 2002
    Location
    Missouri
    Posts
    2,504
    I don't see the big deal. You should set everything up before dumping clients on to a machine.
    What does one host say to the other? "(HostA) Want to go see a movie?" "(HostB) Sure, can your parents drive?"

    I'm premium, and no, I did not have to pay $6 a month to figure that out.

  6. #6
    Join Date
    Sep 2002
    Location
    Earth
    Posts
    2,533
    rcs do you think /bandwidth/ is a problem also??
    You need to lock things down

  7. #7
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    436
    unless cpanel specificly say "mysql server is installed with no root password and you should change it" then it's their problem (too). They only say " You can set, and change, your MySQL root password at any time. It is recommended that you change your root password often."
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  8. #8
    Join Date
    Jan 2003
    Location
    Lake Arrowhead, CA
    Posts
    789
    And they should also put labels on circular saw blades telling children not to use them as frisbees!

    No offense intended to anyone, but too much handholding in almost any situation tends to allow people with less experience to get into deeper waters (and potentially deeper trouble) faster than they might otherwise. If a host/tech can't be bothered to read documentation and follow instructions, should they even be offering mySQL at all?
    http://www.srohosting.com
    Stability, redundancy and peace of mind

  9. #9
    Join Date
    Mar 2003
    Location
    Fairfax, CA
    Posts
    52

    How is it a problem?

    If I set my box to have no mysql password, then log on as root, I can run mysql monitor.

    But if I log on as any other user and attempt to run mysql, it refuses to run.

    In applications, as a user I create a mysql database, and create a mysql user and mysql passcode for that user, then grant that user some permissions. But I only have access to the database I've created.

    It's not clear to me where the danger lies with mysql not having a password. My natural impulse is to have it 'password protected', but so far I cannot see where the passcode protects it.

    For sure, there's plenty about which I am way too ignorant.

    And that's why I ask here, of people who know more. And this is the question --

    What exactly is the vulnerability of mysql running without a root mysql password?
    -- Arthur Cronos from Voltos
    =============================================================
    The Bloggard, Un Hombre Blogisto -- http://www.bloggard.com
    Your loch ness monster, your yeti, your bigfoot. Bah! I've seen worse.
    =============================================================

  10. #10
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    436
    any user can access the database as root. (if YOU can't doesn't mean someone who knows what's he doing can't (no disrespect))
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  11. #11
    Join Date
    May 2001
    Location
    Dayton, Ohio
    Posts
    4,977
    Originally posted by rcs
    unless cpanel specificly say "mysql server is installed with no root password and you should change it" then it's their problem (too). They only say " You can set, and change, your MySQL root password at any time. It is recommended that you change your root password often."



    If an admin doesn't know to setup a MySQL root pass, then they shouldn't be working on the server at all

    This is why we have fly-by-night hosting companies that don't know general server administration...

  12. #12
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    436
    I guess we can argue about this forever, but it is my impression that cpanel (or any other control panel) was build to easy the administratoin tasks for non-technical people. so why would a non technical cpanel owner have any idea about mysql passwords?
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  13. #13
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,783
    Originally posted by rcs
    I guess we can argue about this forever, but it is my impression that cpanel (or any other control panel) was build to easy the administratoin tasks for non-technical people. so why would a non technical cpanel owner have any idea about mysql passwords?
    It was built to make it easier to adminster a server, that does not mean it was built to administer the server for you.

    Power steering was added to cars to make them easier to drive does not mean it steers the car for you.

  14. #14
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    436
    Originally posted by Monte
    Power steering was added to cars to make them easier to drive does not mean it steers the car for you.
    yet no one would give you a power steering wheel with a pin missing, saying "we recommand you put the pin in". The least they would have say is "there's no pin in the wheel. you need to put it in or else you'll drive off the road"
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  15. #15
    Join Date
    Jul 2002
    Location
    Missouri
    Posts
    2,504
    True, however if you were a race car mechanic you'd check that out before you let the driver in the car.

    A normal person buying a car (a non-technical guy trying to run a machine) isn't going to run a scan on the box for common security holes (or faulty setups) like a mechanic would do to a car....

    No comparison really.
    What does one host say to the other? "(HostA) Want to go see a movie?" "(HostB) Sure, can your parents drive?"

    I'm premium, and no, I did not have to pay $6 a month to figure that out.

  16. #16
    yet no one would give you a power steering wheel with a pin missing, saying "we recommand you put the pin in". The least they would have say is "there's no pin in the wheel. you need to put it in or else you'll drive off the road"

    ----------
    Wow... you come up with some strange analogies (that don't make much sense). Servers DO NOT come 100% secure by default... thats why you hire admins. If it were as easy as you seem to want it then a 3rd grader (maybe even a monkey) could run a webhosting business and click the pretty buttons all day. Web appliances make the routine tasks easier by providing a GUI as opposed to doing everything by the command line. You should still know what you are doing and have an understanding of how everything works. If you take things for granted and expect everything to come with already secure passwords for you then its time to wake up and smell the coffee... not to mention get out of the hosting business because when your server gets hacked and is used in a DDoS attack you are not going to be very popular.

  17. #17
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,783
    Originally posted by rcs
    yet no one would give you a power steering wheel with a pin missing, saying "we recommend you put the pin in". The least they would have say is "there's no pin in the wheel. you need to put it in or else you'll drive off the road"
    No but if you buy a power steering kit to put on a car are you going to blame the kit maker because you installed it wrong?

    If you install MySQL without a CP does it set the password for you? Cpanel when installed on a server has to be set up just like any piece of software if you can't read the docs or do not understand how to set it up then you suffer the consequences.

  18. #18
    Join Date
    Apr 2001
    Posts
    2,611
    This is just discusting! cPanel isn't meant to replace an admin, nor should it be. Its meant to make managing clients easier, and it has a few added tools to help make admining easier. Just because cpanel doesn't completely lock down your box for you, doesn't mean you can brush off the crap on them. Get an admin, or get out of the business!

  19. #19
    Join Date
    Apr 2001
    Location
    Palm Beach, FL
    Posts
    1,097

    Re: cpanel mysql (lack of) security

    Originally posted by rcs
    Let me get this straight, Cpanel in the default install, put mysql with no password for the root user and no one cries OMG!! ?
    Have you ever installed Mysql on its own? Without any control panel? Root has no password by default (on all the installations I've done, anyway). I wonder, if it set a root password, how would I get it...

    Don't blame Cpanel for something Cpanel is not really at fault for.

    Control panels don't replace admins. They are simply a tool for an admin. People in general need to realize that.
    Alex Llera
    Professional Server Management
    FreeBSD|Linux|HSphere|Cpanel|Plesk

  20. #20
    Join Date
    Sep 2002
    Location
    Earth
    Posts
    2,533
    Wow what a thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •