Hi,
we got a suggestion from a user about either restricting access to /setup or telling the installer to remove this directory after initial setup.
Let's discuss this...
On Fri, Jul 15, 2011 at 4:35 PM, Marc Delisle marc@infomarc.info wrote:
Hi,
we got a suggestion from a user about either restricting access to /setup or telling the installer to remove this directory after initial setup.
Let's discuss this...
It's probably a good idea to restrict access after initial setup.
-- Marc Delisle http://infomarc.info
AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev _______________________________________________ Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
On Jul 15, 2011, at 9:35 AM, Marc Delisle marc@infomarc.info wrote:
Hi,
we got a suggestion from a user about either restricting access to /setup or telling the installer to remove this directory after initial setup.
Let's discuss this...
If I remember correctly, the reason this wasn't done in the first place is that there's no vulnerability to leaving it exposed. The user moves the generated config.inc.php, and a malicious user can't write a new one that would be used. Additionally, users who wish to reconfigure later might want to run the setup; if it's removed they'll have to (presumably) reinstall the entire program.
If there were a good reason to remove it, then I'd certainly support the idea, but I don't see a compelling reason at the moment.
[snip]
Hi
Dne Fri, 15 Jul 2011 10:50:35 -0400 Isaac Bennetch bennetch@gmail.com napsal(a):
On Jul 15, 2011, at 9:35 AM, Marc Delisle marc@infomarc.info wrote:
Hi,
we got a suggestion from a user about either restricting access to /setup or telling the installer to remove this directory after initial setup.
Let's discuss this...
If I remember correctly, the reason this wasn't done in the first place is that there's no vulnerability to leaving it exposed. The user moves the generated config.inc.php, and a malicious user can't write a new one that would be used. Additionally, users who wish to reconfigure later might want to run the setup; if it's removed they'll have to (presumably) reinstall the entire program.
If there were a good reason to remove it, then I'd certainly support the idea, but I don't see a compelling reason at the moment.
I've seen this in various web applications - they force you to remove setup once installation is done.
I don't think we should make it that hard requirement, however suggesting to remove it after setup won't hurt.
Also option would be to limit access to it for example only to authenticated MySQL users, what would limit the audience quite a lot.
Le 2011-07-16 05:30, Michal Čihař a écrit :
Hi
Dne Fri, 15 Jul 2011 10:50:35 -0400 Isaac Bennetchbennetch@gmail.com napsal(a):
On Jul 15, 2011, at 9:35 AM, Marc Delislemarc@infomarc.info wrote:
Hi,
we got a suggestion from a user about either restricting access to /setup or telling the installer to remove this directory after initial setup.
Let's discuss this...
If I remember correctly, the reason this wasn't done in the first place is that there's no vulnerability to leaving it exposed. The user moves the generated config.inc.php, and a malicious user can't write a new one that would be used. Additionally, users who wish to reconfigure later might want to run the setup; if it's removed they'll have to (presumably) reinstall the entire program.
If there were a good reason to remove it, then I'd certainly support the idea, but I don't see a compelling reason at the moment.
I've seen this in various web applications - they force you to remove setup once installation is done.
Yes but in these applications, their installation program does things like - letting you choose an admin password - entering database credentials - creating initial database - creating the effective configuration file
This is why they ask (or sometimes enforce) to remove the setup directory.
I don't see the same need for phpMyAdmin because our setup code never writes to the effective configuration file, only to a staging one.
I don't think we should make it that hard requirement, however suggesting to remove it after setup won't hurt.
Also option would be to limit access to it for example only to authenticated MySQL users, what would limit the audience quite a lot.
Hi
Dne Sat, 16 Jul 2011 08:17:25 -0400 Marc Delisle marc@infomarc.info napsal(a):
Yes but in these applications, their installation program does things like
- letting you choose an admin password
- entering database credentials
- creating initial database
- creating the effective configuration file
This is why they ask (or sometimes enforce) to remove the setup directory.
I don't see the same need for phpMyAdmin because our setup code never writes to the effective configuration file, only to a staging one.
Yes, this is true. However you generally don't need setup after initial installation, so removing it also won't hurt. And publicly exposing less (potentially vulnerable) code is always good idea :-).
2011/8/1 Michal Čihař michal@cihar.com:
Hi
Dne Sat, 16 Jul 2011 08:17:25 -0400 Marc Delisle marc@infomarc.info napsal(a):
Yes but in these applications, their installation program does things like
- letting you choose an admin password
- entering database credentials
- creating initial database
- creating the effective configuration file
This is why they ask (or sometimes enforce) to remove the setup directory.
I don't see the same need for phpMyAdmin because our setup code never writes to the effective configuration file, only to a staging one.
Yes, this is true. However you generally don't need setup after initial installation, so removing it also won't hurt. And publicly exposing less (potentially vulnerable) code is always good idea :-).
How about locking it completely when there is no writable "config" directory and a warning in main.php when writable "config" directory is detected?
Piotr Przybylski a écrit :
2011/8/1 Michal Čihař michal@cihar.com:
Hi
Dne Sat, 16 Jul 2011 08:17:25 -0400 Marc Delisle marc@infomarc.info napsal(a):
Yes but in these applications, their installation program does things like
- letting you choose an admin password
- entering database credentials
- creating initial database
- creating the effective configuration file
This is why they ask (or sometimes enforce) to remove the setup directory.
I don't see the same need for phpMyAdmin because our setup code never writes to the effective configuration file, only to a staging one.
Yes, this is true. However you generally don't need setup after initial installation, so removing it also won't hurt. And publicly exposing less (potentially vulnerable) code is always good idea :-).
How about locking it completely when there is no writable "config" directory and a warning in main.php when writable "config" directory is detected?
I don't think it's a good idea because /setup can be used to download a config file when it's complete.
-
Isaac Bennetch -
Marc Delisle -
Michal Čihař -
Piotr Przybylski -
Tyron Madlener