[Phpmyadmin-devel] about root with no pass

Sebastian Mendel lists at sebastianmendel.de
Tue Aug 7 16:00:44 CEST 2007 

Marc Delisle schrieb:
> Sebastian Mendel a écrit :
>> Hi,
>>
>> even if it is a good feature to run phpMyAdmin out of the box on a dev
>> system with root and no pw i think we should limit this ...
> 
> Do you mean for auth_type = 'config' or for all auth_types?

all!?


> We already have a warning message:
> if ($server != 0
>   && $cfg['Server']['user'] == 'root'
>   && $cfg['Server']['password'] == '') {
>      echo '<div class="warning">' . $strInsecureMySQL . '</div>' . "\n";
> }

i know
and i fear this message could be found by google ...


> that works for all auth_types (even if the message talks about their 
> configuration file having these insecure settings).
> 
> The problem with this message, is that many users do not understand it 
> and react with fear.

react with fear to this message is not wrong, or?


> But some consultants just do the default MySQL installation and install 
> apps relying on root with no password, so our message "breaks" the apps 
> when a user suddenly adds a password for root.

first: this is not our fault!
second: this message could go away with $cfg['allow_root_with_no_pw']


>> possible we could add an config switch and/or version check
>>
>>
>>  if version is dev, from svn or forced by config
>> ($cfg['allow_root_with_no_pw']) allow root with no pass
>>
>>  if version is release deny root with no password (except it is forced by
>> config switch to be allowed)
>>
>>
>> and phpMyAdmin should trigger_error to log this error and report a generic
>> security error message to the user 'security error, please check php errror
>> log for further details'
>>
>>
>> what do you think about?
>>
> 
> I would avoid adding a new cfg because I fear what distros will do: just 
> set it to true by default?

i don't think so
i do not think that any distro will disable a default securing option!


> I think logging this error with trigger_error is a good improvement.
> 
> I guess you would like to remove the strInsecureMySQL message?

yes, with the already mentioned generic security error message


-- 
Sebastian

More information about the Developers mailing list