severity 496442 wishlist retitle 496442 Could prevent logging in as root without password by default tags 496442 upstream thanks
Hi, On Sun, August 24, 2008 20:53, Sylvain Avril wrote: > The debian mysql package configure the root user with no password by > default. It is not a problem (and rather usefull as long as you know what > you do) as long as only trusted users have access to the console. When > phpmyadmin is installed, it access mysql via localhost so it is possible > to log as root with no password via the web interface. Thank you for your concern. However, I do not agree with your suggestion at all. First I do not believe that this is a critical security bug in any sense. Any user installing the package does so by choice: the user chooses to install something that makes their MySQL server available worldwide over the web as-is. That is exactly the package's task. If you install sshd on a system where you only used trivial passwords you're similarly opening yourself up. You could argue that the package should warn those that have somehow missed the implications. Such a thing I would see as an extra service that is a wishlist item but not a flaw in the existing program. So I'm downgrading the bug to wishlist. Then the question of whether to implement this wishlist item. I do not believe that this should be implemented as you write, for a number of reasons: 1) All MySQL documentation is very clear about the root user not having a password and the need for changing that for any secure setup. 2) MySQL in Debian actually asks for a root password upon install. If the user refuses that option I don't believe they will suddenly be impressed by phpmyadmin's message there. 3) It seems unlikely to me that someone who didn't yet set the root password, did get around to adding valuable databases and data to it. 4) phpMyAdmin already includes a warning about empty root passwords immediately after logging in. 5) During installation we have no clue as to which MySQL server the user is going to use with phpMyAdmin, that may be localhost but just as well a remote MySQL server. Hence we cannot really check this reliably. Note that the problem is not Debian-specific: untarring phpMyAdmin from upstream will yield the same exposure. I therefore think that *if* this should be addressed, it should be addressed in the upstream code instead. One thing I think could be useful to mitigate this issue, is phpMyAdmin by default disallowing the root+'' login combination, overridable by a config setting. I will take this up with upstream to see how they think about this. cheers, Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
