[Phpmyadmin-devel] about root with no pass
Marc Delisle
Marc.Delisle at cegepsherbrooke.qc.ca
Tue Aug 7 15:17:02 CEST 2007
Sebastian Mendel a écrit :
> Hi,
>
> even if it is a good feature to run phpMyAdmin out of the box on a dev
> system with root and no pw i think we should limit this ...
Do you mean for auth_type = 'config' or for all auth_types?
We already have a warning message:
if ($server != 0
&& $cfg['Server']['user'] == 'root'
&& $cfg['Server']['password'] == '') {
echo '<div class="warning">' . $strInsecureMySQL . '</div>' . "\n";
}
that works for all auth_types (even if the message talks about their
configuration file having these insecure settings).
The problem with this message, is that many users do not understand it
and react with fear.
But some consultants just do the default MySQL installation and install
apps relying on root with no password, so our message "breaks" the apps
when a user suddenly adds a password for root.
>
> possible we could add an config switch and/or version check
>
>
> if version is dev, from svn or forced by config
> ($cfg['allow_root_with_no_pw']) allow root with no pass
>
> if version is release deny root with no password (except it is forced by
> config switch to be allowed)
>
>
> and phpMyAdmin should trigger_error to log this error and report a generic
> security error message to the user 'security error, please check php errror
> log for further details'
>
>
> what do you think about?
>
I would avoid adding a new cfg because I fear what distros will do: just
set it to true by default?
I think logging this error with trigger_error is a good improvement.
I guess you would like to remove the strInsecureMySQL message?
More information about the Developers
mailing list