Bug 17958 - mysql is not properly secured when installed.
mysql is not properly secured when installed.
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: mysql (Show other bugs)
7.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Patrick Macdonald
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-09-30 11:49 EDT by Per Steinar Iversen
Modified: 2007-04-18 12:28 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-09-30 11:49:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Per Steinar Iversen 2000-09-30 11:49:05 EDT
When  mysql is installed there is no question or warning about setting a
password
for the mysql user root. This means that any user on the host that mysqld
is running
on has all privileges and can do anything with all databases until a
password is set.

-psi
Comment 1 Trond Eivind Glomsrxd 2000-10-01 11:35:18 EDT
If you install it, you need to configure it. Default passwords considered
harmful.
Comment 2 Per Steinar Iversen 2000-10-01 14:29:06 EDT
The rpm version distributed by the mysql group warns the installer
to set a password at least. The current RH mysql install is silent,
this is likely to cause some interesting problems for the unwary.

I strongly agree that default passwords are bad.

-psi
Comment 3 Trond Eivind Glomsrxd 2000-10-01 14:55:33 EDT
Returning output (or asking for input) from one of the post/pre scripts is
considered bad - you wouldn't necesarrily see it. RPM is designed to be
non-interactive.
Comment 4 Per Steinar Iversen 2000-10-02 04:01:47 EDT
What then about adding something like this to /etc/rc.d/init.d/mysql, just
after starting mysqld:

mysqladmin --user root processlist > /dev/null 2> /dev/null && echo "Unsafe
mysql!"

This will unfortunately also trigger if the password is set in /root/.my.cnf but
that case should
be easy to take care of with a few script lines. The important thing is to warn
of a very insecure
situation.

Note You need to log in before you can comment on or make changes to this bug.