Hi Mark,
by default, the installation has to provide a way to access it - a
starting user. It's not security hole because:
1) do not open your system to Internet (public mysql or running
openser) immediately after installation without customizing it.
2) before installation, you may set different default username and
password via environment variables (check the beginning of opensermysql
script).
this is a typical behaviour of all software - to let an initial way of
access not properly configured, they may turn indeed in security holes:
mysqld installs by default user root with no passwd
apache start by default listening on all interface (including the
public ones).
etc....
regards,
bogdan
Mark Kent wrote:
Hello,
I just noticed that openser_mysql.sh creates the username "admin" with
the default openserrw password in the subscriber table.
This seems to introduce a security hole where a well-known username
and password pair would exist on most virgin openser installations.
Is there a good reason to have that entry in the "subscriber" table?
Is it used anywhere?
Now I know that we're supposed to change the mysql access passwords,
but I have to admit that I didn't think to change a password actually
emebedded IN the data of the mysql database.
Did I miss a critical security note somewhere alerting me to this
default user?
Thanks,
-mark
_______________________________________________
Users mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/users
