Bug 17958 - mysql is not properly secured when installed.
Summary: mysql is not properly secured when installed.
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: mysql
Version: 7.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Patrick Macdonald
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-09-30 15:49 UTC by Per Steinar Iversen
Modified: 2007-04-18 16:28 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2000-09-30 15:49:07 UTC


Attachments (Terms of Use)

Description Per Steinar Iversen 2000-09-30 15:49:05 UTC
When  mysql is installed there is no question or warning about setting a
password
for the mysql user root. This means that any user on the host that mysqld
is running
on has all privileges and can do anything with all databases until a
password is set.

-psi

Comment 1 Trond Eivind Glomsrxd 2000-10-01 15:35:18 UTC
If you install it, you need to configure it. Default passwords considered
harmful.

Comment 2 Per Steinar Iversen 2000-10-01 18:29:06 UTC
The rpm version distributed by the mysql group warns the installer
to set a password at least. The current RH mysql install is silent,
this is likely to cause some interesting problems for the unwary.

I strongly agree that default passwords are bad.

-psi

Comment 3 Trond Eivind Glomsrxd 2000-10-01 18:55:33 UTC
Returning output (or asking for input) from one of the post/pre scripts is
considered bad - you wouldn't necesarrily see it. RPM is designed to be
non-interactive.


Comment 4 Per Steinar Iversen 2000-10-02 08:01:47 UTC
What then about adding something like this to /etc/rc.d/init.d/mysql, just
after starting mysqld:

mysqladmin --user root processlist > /dev/null 2> /dev/null && echo "Unsafe
mysql!"

This will unfortunately also trigger if the password is set in /root/.my.cnf but
that case should
be easy to take care of with a few script lines. The important thing is to warn
of a very insecure
situation.



Note You need to log in before you can comment on or make changes to this bug.