Page 1 of 2 12 LastLast
Results 1 to 15 of 20
  1. #1
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    433

    cpanel mysql (lack of) security

    Let me get this straight, Cpanel in the default install, put mysql with no password for the root user and no one cries OMG!! ?

    btw, to repair: mysqladmin -u root password 'Newpass'
    Last edited by rcs; 04-22-2003 at 10:16 PM.
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  2. #2
    The WHM setup walkthrough has as one of its steps the setting of the mySQL root pass by the user. Those who decide to skip the walkthrough (as we do) can simply set a password through several different methods before releasing the server into production. Those who fail to set one through any of the means presented have attention to detail issues - but that isn't a cPanel problem.
    Annette
    Hosting Matters, Inc.
    Superior service. Sensible price.

  3. #3
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,763
    Anyone who has a server should know how to set up a root password for MySql in WHM or know that to do this is part of the normal deployment of a box before putting customers on it.

    I do not see how this is a cpanel problem any more than the other things you should be doing to secure a box before deploying it for the first time are a linux or Apache problem.

  4. #4
    Join Date
    Sep 2000
    Location
    NY
    Posts
    489
    I have notice alot of people just hit FINSHED

    then attempt to maually do it, without the steps

    SO hence forth you will see this issue
    -----My wife said it was ok----

  5. #5
    Join Date
    Jul 2002
    Location
    Missouri
    Posts
    2,504
    I don't see the big deal. You should set everything up before dumping clients on to a machine.
    What does one host say to the other? "(HostA) Want to go see a movie?" "(HostB) Sure, can your parents drive?"

    I'm premium, and no, I did not have to pay $6 a month to figure that out.

  6. #6
    rcs do you think /bandwidth/ is a problem also??
    You need to lock things down

  7. #7
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    433
    unless cpanel specificly say "mysql server is installed with no root password and you should change it" then it's their problem (too). They only say " You can set, and change, your MySQL root password at any time. It is recommended that you change your root password often."
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  8. #8
    Join Date
    Jan 2003
    Location
    Lake Arrowhead, CA
    Posts
    789
    And they should also put labels on circular saw blades telling children not to use them as frisbees!

    No offense intended to anyone, but too much handholding in almost any situation tends to allow people with less experience to get into deeper waters (and potentially deeper trouble) faster than they might otherwise. If a host/tech can't be bothered to read documentation and follow instructions, should they even be offering mySQL at all?
    http://www.srohosting.com
    Stability, redundancy and peace of mind

  9. #9
    Join Date
    Mar 2003
    Location
    Fairfax, CA
    Posts
    52

    How is it a problem?

    If I set my box to have no mysql password, then log on as root, I can run mysql monitor.

    But if I log on as any other user and attempt to run mysql, it refuses to run.

    In applications, as a user I create a mysql database, and create a mysql user and mysql passcode for that user, then grant that user some permissions. But I only have access to the database I've created.

    It's not clear to me where the danger lies with mysql not having a password. My natural impulse is to have it 'password protected', but so far I cannot see where the passcode protects it.

    For sure, there's plenty about which I am way too ignorant.

    And that's why I ask here, of people who know more. And this is the question --

    What exactly is the vulnerability of mysql running without a root mysql password?
    -- Arthur Cronos from Voltos
    =============================================================
    The Bloggard, Un Hombre Blogisto -- http://www.bloggard.com
    Your loch ness monster, your yeti, your bigfoot. Bah! I've seen worse.
    =============================================================

  10. #10
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    433
    any user can access the database as root. (if YOU can't doesn't mean someone who knows what's he doing can't (no disrespect))
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  11. #11
    Join Date
    May 2001
    Location
    Dayton, Ohio
    Posts
    4,909
    Originally posted by rcs
    unless cpanel specificly say "mysql server is installed with no root password and you should change it" then it's their problem (too). They only say " You can set, and change, your MySQL root password at any time. It is recommended that you change your root password often."



    If an admin doesn't know to setup a MySQL root pass, then they shouldn't be working on the server at all

    This is why we have fly-by-night hosting companies that don't know general server administration...

  12. #12
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    433
    I guess we can argue about this forever, but it is my impression that cpanel (or any other control panel) was build to easy the administratoin tasks for non-technical people. so why would a non technical cpanel owner have any idea about mysql passwords?
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  13. #13
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,763
    Originally posted by rcs
    I guess we can argue about this forever, but it is my impression that cpanel (or any other control panel) was build to easy the administratoin tasks for non-technical people. so why would a non technical cpanel owner have any idea about mysql passwords?
    It was built to make it easier to adminster a server, that does not mean it was built to administer the server for you.

    Power steering was added to cars to make them easier to drive does not mean it steers the car for you.

  14. #14
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    433
    Originally posted by Monte
    Power steering was added to cars to make them easier to drive does not mean it steers the car for you.
    yet no one would give you a power steering wheel with a pin missing, saying "we recommand you put the pin in". The least they would have say is "there's no pin in the wheel. you need to put it in or else you'll drive off the road"
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  15. #15
    Join Date
    Jul 2002
    Location
    Missouri
    Posts
    2,504
    True, however if you were a race car mechanic you'd check that out before you let the driver in the car.

    A normal person buying a car (a non-technical guy trying to run a machine) isn't going to run a scan on the box for common security holes (or faulty setups) like a mechanic would do to a car....

    No comparison really.
    What does one host say to the other? "(HostA) Want to go see a movie?" "(HostB) Sure, can your parents drive?"

    I'm premium, and no, I did not have to pay $6 a month to figure that out.

Page 1 of 2 12 LastLast

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •