The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mysql root wide open.

Discussion in 'General Discussion' started by hostrack, Apr 19, 2003.

  1. hostrack

    hostrack Registered
    PartnerNOC

    Joined:
    Oct 14, 2002
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I have the latest build in our servers, and I just found out that if you use shell to access mysql it doesnt require any passwords.

    So anyone with shell or possible phpMyAdmin and knows of this problem can browse all the databases.

    All my Redhat machines will not allow me to add or password protect mysql. I am guessing it bug in mysql version 4.
    I have also tried using the control panel and no go.

    Any suggestions?

    Brian
     
  2. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Yep, i simply typed

    root@srv05 [/usr/local/apache/domlogs]# mysql
    Welcome to the MySQL monitor. Commands end with ; or \g.
    Your MySQL connection id is 320047 to server version: 4.0.12-log

    Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

    mysql>

    And i was in. WTF is up with this? Where is this BDRACO guy and why has he ignored all forums questions posted in the past 5 days? Oh ye, i forgot, like some of your were dreaming when you said, "THEY ARE WORKING ON IT" What a laugh! :rolleyes:
     
    #2 sexy_guy, Apr 19, 2003
    Last edited: Apr 19, 2003
  3. rnh

    rnh Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Guess it's time for that format that you were talking about.

    rm -rf /
     
  4. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
  5. rnh

    rnh Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    It's the only way to be truly secure! ;)
     
  6. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Im hear you!
     
  7. versehost

    versehost Member

    Joined:
    Mar 8, 2002
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    It only works if you're logged in as root, so it's not really a problem.

    As regular user:
    As root:
     
  8. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Huh? Thats still wrong. Its supposed to ask for a pw no matter if your root or not.
     
  9. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    If someone other than you has logged in as root to your machine, you have much, much bigger problems than the intrinsic trust granted to root by mySQL. Normal users cannot, as noted, use mySQL from the command line without proper authentication.
     
  10. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Thats wrong once again. If you were to do a dump of a mysql db you would have to supply, usually, a password. Likewise no matter what you should have to enter pw no matter what when you type mysql.
     
  11. alwaysweb

    alwaysweb Well-Known Member

    Joined:
    Mar 8, 2002
    Messages:
    97
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Dallas, TX
    cPanel Access Level:
    Root Administrator
    I'm willing to bet you have your user/pass in /root/.my.cnf which is provided by default with MySQL connections when you're logged in as root. Is this a big deal? No. Is this person a whiner? Yes. ;)
     
  12. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Yep, I tried it as a customer end user (non-root), and it requires a password to access MySQL. Thus, root access seems to be the only way that it does not require the MySQL PW.
     
  13. trakwebster

    trakwebster Well-Known Member

    Joined:
    Jan 29, 2003
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    Default cpanel install sez mysql root pass = Nope.

    I do not know why, but the default cpanel install sets the mysql root password to none required.

    You can change this in WHM; but I don't know if it's a good idea.

    I am guessing that perhaps setting it so makes it unnecessary for some applications to pass along a password, which would mean in turn they'd need to store the password, which would mean in turn more places from which some bad boy could obtain the password and perhaps a greater vulnerability to mysql being actually cracked.

    However, I don't know the answer. I fiddled with this once and locked myself out while stumbling around. My isp fixed it for me, but I failed to comprehend my lesson correctly, and didn't really learn how it truly works.

    I very much would like to know the reasoning for no mysql root password, and what are the problems that you would encounter if you set one.

    Is there anyone here knowledgeable who would know these things?
     
  14. rnh

    rnh Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    I was able to get in as admin, UID 1001, not root, no superuser priviledges, (however admin is a member of the weel group (I'm on FreeBSD)) just by typing mysql.

    However I wasn't able to connect to the databases of other users.

    I WAS able to connect to the databases of the users as root.

    I was NOT able to login to MySQL as root from the user admin without a password.
    Code:
    $ mysql
    Welcome to the MySQL monitor.  Commands end with ; or \g.
    Your MySQL connection id is 165 to server version: 3.23.52
    
    Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
    
    mysql> connect database_name
    ERROR 1044: Access denied for user: '@localhost' to database 'database_name'
    mysql> exit
    Bye
    $ su -
    Password:
    # mysql
    Welcome to the MySQL monitor.  Commands end with ; or \g.
    Your MySQL connection id is 167 to server version: 3.23.52
    
    Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
    
    mysql> connect database_name
    Reading table information for completion of table and column names
    You can turn off this feature to get a quicker startup with -A
    
    Connection id:    168
    Current database: database_name
    
    mysql> exit
    Bye
    #logout
    $ mysql -u root
    ERROR 1045: Access denied for user: 'root@localhost' (Using password: NO)
    $
     
  15. rnh

    rnh Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Re: Default cpanel install sez mysql root pass = Nope.

    isn't this just the default for MySQL?

    I was under the assumption that root came without a password until you set it on MySQL
     
  16. X-Istencedotcom

    X-Istencedotcom Well-Known Member

    Joined:
    Apr 14, 2003
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    Thats well said, but once cPanel is installed on it, the pass for MySQL is the same as for root. Kinda a shame really, someone gets your root pass your DB's could be gone, and most of the time the DB's hold more data that is sensitive than files itself.
     
  17. hostrack

    hostrack Registered
    PartnerNOC

    Joined:
    Oct 14, 2002
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I see the password and username in the my.cnf file in root.
    This is not a really good way of keeping it a secret. Any one that gains root can really do damage.

    I suggest keeping it different from the control panel password until they have a way of masking the password.

    Brian
     
  18. rnh

    rnh Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    The only differences relevant to this are that you have to login to the server as a member of the wheel group in order to be able to use the su (super user) command. Ordinary users are not allowed to su in FreeBSD unless added to the wheel group.
     
  19. rnh

    rnh Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    It's mode is set to 700. It's owner is root. If they can read that file, it's already too late.
    That's the understatement of the year.
    You're not reusing passwords are you?

    You should never use the same password in any two places anyway. ESPECCIALLY on a production server.

    The one real possible danger I see in this is a PHP file being owned by root in a php safe mode environment without open base dir restrictions being used to readfile /root/.my.cnf

    however that still wouldn't be able to read the file because apache would have to be running as root.
     
    #19 rnh, Apr 20, 2003
    Last edited: Apr 20, 2003
  20. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    You're kidding, right? If someone gets root access to your box, the least of your worries is that they can get into mysql on the command line. I'd be more concerned about someone rm -rf /var/lib/mysql. No mysql command line anything required to do that as root.

    And if anyone is so concerned about the mySQL root password and the system root password being the same: for heaven's sake, just change one or the other. The tools are there. Use them.
     
Loading...

Share This Page