hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : cpanel mysql (lack of) security
Reply

Forum Jump

cpanel mysql (lack of) security

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Aspiring Evangelist
 
Join Date: Oct 2002
Location: Tel-Aviv, Israel
Posts: 433

cpanel mysql (lack of) security


Let me get this straight, Cpanel in the default install, put mysql with no password for the root user and no one cries OMG!! ?

btw, to repair: mysqladmin -u root password 'Newpass'

__________________
Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."


Last edited by rcs; 04-22-2003 at 10:16 PM.


Sponsored Links
  #2  
Old
Web Hosting Master
 
Join Date: Apr 2000
Posts: 1,588
The WHM setup walkthrough has as one of its steps the setting of the mySQL root pass by the user. Those who decide to skip the walkthrough (as we do) can simply set a password through several different methods before releasing the server into production. Those who fail to set one through any of the means presented have attention to detail issues - but that isn't a cPanel problem.

__________________
Annette
Hosting Matters, Inc.
Superior service. Sensible price.

  #3  
Old
Web Hosting Master
 
Join Date: Apr 2002
Location: Australia or US depends
Posts: 5,752
Anyone who has a server should know how to set up a root password for MySql in WHM or know that to do this is part of the normal deployment of a box before putting customers on it.

I do not see how this is a cpanel problem any more than the other things you should be doing to secure a box before deploying it for the first time are a linux or Apache problem.

__________________
Techark Web Hosting
Cloud Servers and Managed Dedicated Servers with Live Proactive Monitoring
My Blog of Random Thoughts

Sponsored Links
  #4  
Old
** years in the Hosting Biz
 
Join Date: Sep 2000
Location: NY
Posts: 489
I have notice alot of people just hit FINSHED

then attempt to maually do it, without the steps

SO hence forth you will see this issue

__________________
-----My wife said it was ok----

  #5  
Old
Web Hosting Master
 
Join Date: Jul 2002
Location: Missouri
Posts: 2,504
I don't see the big deal. You should set everything up before dumping clients on to a machine.

__________________
What does one host say to the other? "(HostA) Want to go see a movie?" "(HostB) Sure, can your parents drive?"

I'm premium, and no, I did not have to pay $6 a month to figure that out.

  #6  
Old
Web Hosting Master
 
Join Date: Sep 2002
Posts: 2,372
rcs do you think /bandwidth/ is a problem also??
You need to lock things down

__________________
Webslice

Australian Web Hosting

  #7  
Old
Aspiring Evangelist
 
Join Date: Oct 2002
Location: Tel-Aviv, Israel
Posts: 433
unless cpanel specificly say "mysql server is installed with no root password and you should change it" then it's their problem (too). They only say " You can set, and change, your MySQL root password at any time. It is recommended that you change your root password often."

__________________
Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."

  #8  
Old
Web Hosting Master
 
Join Date: Jan 2003
Location: Lake Arrowhead, CA
Posts: 789
And they should also put labels on circular saw blades telling children not to use them as frisbees!

No offense intended to anyone, but too much handholding in almost any situation tends to allow people with less experience to get into deeper waters (and potentially deeper trouble) faster than they might otherwise. If a host/tech can't be bothered to read documentation and follow instructions, should they even be offering mySQL at all?

__________________
http://www.srohosting.com
Stability, redundancy and peace of mind

  #9  
Old
Junior Guru Wannabe
 
Join Date: Mar 2003
Location: Fairfax, CA
Posts: 52
How is it a problem?

If I set my box to have no mysql password, then log on as root, I can run mysql monitor.

But if I log on as any other user and attempt to run mysql, it refuses to run.

In applications, as a user I create a mysql database, and create a mysql user and mysql passcode for that user, then grant that user some permissions. But I only have access to the database I've created.

It's not clear to me where the danger lies with mysql not having a password. My natural impulse is to have it 'password protected', but so far I cannot see where the passcode protects it.

For sure, there's plenty about which I am way too ignorant.

And that's why I ask here, of people who know more. And this is the question --

What exactly is the vulnerability of mysql running without a root mysql password?

__________________
-- Arthur Cronos from Voltos
=============================================================
The Bloggard, Un Hombre Blogisto -- http://www.bloggard.com
Your loch ness monster, your yeti, your bigfoot. Bah! I've seen worse.
=============================================================

  #10  
Old
Aspiring Evangelist
 
Join Date: Oct 2002
Location: Tel-Aviv, Israel
Posts: 433
any user can access the database as root. (if YOU can't doesn't mean someone who knows what's he doing can't (no disrespect))

__________________
Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."

  #11  
Old
iNET Interactive
 
Join Date: May 2001
Location: Dayton, Ohio
Posts: 4,897
Quote:
Originally posted by rcs
unless cpanel specificly say "mysql server is installed with no root password and you should change it" then it's their problem (too). They only say " You can set, and change, your MySQL root password at any time. It is recommended that you change your root password often."



If an admin doesn't know to setup a MySQL root pass, then they shouldn't be working on the server at all

This is why we have fly-by-night hosting companies that don't know general server administration...

  #12  
Old
Aspiring Evangelist
 
Join Date: Oct 2002
Location: Tel-Aviv, Israel
Posts: 433
I guess we can argue about this forever, but it is my impression that cpanel (or any other control panel) was build to easy the administratoin tasks for non-technical people. so why would a non technical cpanel owner have any idea about mysql passwords?

__________________
Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."

  #13  
Old
Web Hosting Master
 
Join Date: Apr 2002
Location: Australia or US depends
Posts: 5,752
Quote:
Originally posted by rcs
I guess we can argue about this forever, but it is my impression that cpanel (or any other control panel) was build to easy the administratoin tasks for non-technical people. so why would a non technical cpanel owner have any idea about mysql passwords?
It was built to make it easier to adminster a server, that does not mean it was built to administer the server for you.

Power steering was added to cars to make them easier to drive does not mean it steers the car for you.

__________________
Techark Web Hosting
Cloud Servers and Managed Dedicated Servers with Live Proactive Monitoring
My Blog of Random Thoughts

  #14  
Old
Aspiring Evangelist
 
Join Date: Oct 2002
Location: Tel-Aviv, Israel
Posts: 433
Quote:
Originally posted by Monte
Power steering was added to cars to make them easier to drive does not mean it steers the car for you.
yet no one would give you a power steering wheel with a pin missing, saying "we recommand you put the pin in". The least they would have say is "there's no pin in the wheel. you need to put it in or else you'll drive off the road"

__________________
Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."

  #15  
Old
Web Hosting Master
 
Join Date: Jul 2002
Location: Missouri
Posts: 2,504
True, however if you were a race car mechanic you'd check that out before you let the driver in the car.

A normal person buying a car (a non-technical guy trying to run a machine) isn't going to run a scan on the box for common security holes (or faulty setups) like a mechanic would do to a car....

No comparison really.

__________________
What does one host say to the other? "(HostA) Want to go see a movie?" "(HostB) Sure, can your parents drive?"

I'm premium, and no, I did not have to pay $6 a month to figure that out.

Reply

Related posts from TheWhir.com
Title Type Date Posted
Web Hosting Sales and Promos Roundup - September 20, 2013 Web Hosting News 2014-05-23 15:42:47
cPanel Addresses User Concerns of Transfer and Backup Restore System Security Web Hosting News 2013-05-24 10:13:44
cPanel Security Updates Address Perl Module Vulnerabilities Web Hosting News 2012-12-06 12:55:54
cPanel Releases cPanel, WHM 11.34 with New User Interface Web Hosting News 2012-10-16 13:09:49
cPanel Conference 2012: Branding and How to Do it Better with Felipe Gasper Web Hosting News 2012-10-09 18:00:02


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?