Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : cpanel mysql (lack of) security

[rcs]

Let me get this straight, Cpanel in the default install, put mysql with no password for the root user and no one cries OMG!! ?

btw, to repair: mysqladmin -u root password 'Newpass'

[Annette]

The WHM setup walkthrough has as one of its steps the setting of the mySQL root pass by the user. Those who decide to skip the walkthrough (as we do) can simply set a password through several different methods before releasing the server into production. Those who fail to set one through any of the means presented have attention to detail issues - but that isn't a cPanel problem.

[Techark]

Anyone who has a server should know how to set up a root password for MySql in WHM or know that to do this is part of the normal deployment of a box before putting customers on it.

I do not see how this is a cpanel problem any more than the other things you should be doing to secure a box before deploying it for the first time are a linux or Apache problem.

[William]

I have notice alot of people just hit FINSHED

then attempt to maually do it, without the steps

SO hence forth you will see this issue

[DarktidesNET]

I don't see the big deal. You should set everything up before dumping clients on to a machine.

[Aushosts]

rcs do you think /bandwidth/ is a problem also??
You need to lock things down

[rcs]

unless cpanel specificly say "mysql server is installed with no root password and you should change it" then it's their problem (too). They only say " You can set, and change, your MySQL root password at any time. It is recommended that you change your root password often."

[SROHost]

And they should also put labels on circular saw blades telling children not to use them as frisbees!

No offense intended to anyone, but too much handholding in almost any situation tends to allow people with less experience to get into deeper waters (and potentially deeper trouble) faster than they might otherwise. If a host/tech can't be bothered to read documentation and follow instructions, should they even be offering mySQL at all?

[trakwebster]

If I set my box to have no mysql password, then log on as root, I can run mysql monitor.

But if I log on as any other user and attempt to run mysql, it refuses to run.

In applications, as a user I create a mysql database, and create a mysql user and mysql passcode for that user, then grant that user some permissions. But I only have access to the database I've created.

It's not clear to me where the danger lies with mysql not having a password. My natural impulse is to have it 'password protected', but so far I cannot see where the passcode protects it.

For sure, there's plenty about which I am way too ignorant.

And that's why I ask here, of people who know more. And this is the question --

What exactly is the vulnerability of mysql running without a root mysql password?

[rcs]

any user can access the database as root. (if YOU can't doesn't mean someone who knows what's he doing can't (no disrespect))

[The Prohacker]

Quote:

Originally posted by rcs
unless cpanel specificly say "mysql server is installed with no root password and you should change it" then it's their problem (too). They only say " You can set, and change, your MySQL root password at any time. It is recommended that you change your root password often."

If an admin doesn't know to setup a MySQL root pass, then they shouldn't be working on the server at all

This is why we have fly-by-night hosting companies that don't know general server administration...

[rcs]

I guess we can argue about this forever, but it is my impression that cpanel (or any other control panel) was build to easy the administratoin tasks for non-technical people. so why would a non technical cpanel owner have any idea about mysql passwords?

[Techark]

Quote:

Originally posted by rcs
I guess we can argue about this forever, but it is my impression that cpanel (or any other control panel) was build to easy the administratoin tasks for non-technical people. so why would a non technical cpanel owner have any idea about mysql passwords?

It was built to make it easier to adminster a server, that does not mean it was built to administer the server for you.

Power steering was added to cars to make them easier to drive does not mean it steers the car for you.

[rcs]

Quote:

Originally posted by Monte
Power steering was added to cars to make them easier to drive does not mean it steers the car for you.

yet no one would give you a power steering wheel with a pin missing, saying "we recommand you put the pin in". The least they would have say is "there's no pin in the wheel. you need to put it in or else you'll drive off the road"

[DarktidesNET]

True, however if you were a race car mechanic you'd check that out before you let the driver in the car.

A normal person buying a car (a non-technical guy trying to run a machine) isn't going to run a scan on the box for common security holes (or faulty setups) like a mechanic would do to a car....

No comparison really.