[Phpmyadmin-devel] about root with no pass

Marc Delisle Marc.Delisle at cegepsherbrooke.qc.ca
Tue Aug 7 19:21:14 CEST 2007 

Sebastian Mendel a écrit :
> Marc Delisle schrieb:
>> Sebastian Mendel a écrit :
>>> Hi,
>>>
>>> even if it is a good feature to run phpMyAdmin out of the box on a dev
>>> system with root and no pw i think we should limit this ...
>> Do you mean for auth_type = 'config' or for all auth_types?
> 
> all!?
> 
> 
>> We already have a warning message:
>> if ($server != 0
>>   && $cfg['Server']['user'] == 'root'
>>   && $cfg['Server']['password'] == '') {
>>      echo '<div class="warning">' . $strInsecureMySQL . '</div>' . "\n";
>> }
> 
> i know
> and i fear this message could be found by google ...
> 
> 
>> that works for all auth_types (even if the message talks about their 
>> configuration file having these insecure settings).
>>
>> The problem with this message, is that many users do not understand it 
>> and react with fear.
> 
> react with fear to this message is not wrong, or?
> 
> 
>> But some consultants just do the default MySQL installation and install 
>> apps relying on root with no password, so our message "breaks" the apps 
>> when a user suddenly adds a password for root.
> 
> first: this is not our fault!
> second: this message could go away with $cfg['allow_root_with_no_pw']
> 
> 
>>> possible we could add an config switch and/or version check
>>>
>>>
>>>  if version is dev, from svn or forced by config
>>> ($cfg['allow_root_with_no_pw']) allow root with no pass
>>>
>>>  if version is release deny root with no password (except it is forced by
>>> config switch to be allowed)
>>>
>>>
>>> and phpMyAdmin should trigger_error to log this error and report a generic
>>> security error message to the user 'security error, please check php errror
>>> log for further details'
>>>
>>>
>>> what do you think about?
>>>
>> I would avoid adding a new cfg because I fear what distros will do: just 
>> set it to true by default?
> 
> i don't think so
> i do not think that any distro will disable a default securing option!
> 
> 
>> I think logging this error with trigger_error is a good improvement.
>>
>> I guess you would like to remove the strInsecureMySQL message?
> 
> yes, with the already mentioned generic security error message
> 
> 

Ok for me.

More information about the Developers mailing list