[Users] user 'admin' and mysql
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Tue Jun 20 20:01:18 CEST 2006
Hi Mark,
by default, the installation has to provide a way to access it - a
starting user. It's not security hole because:
1) do not open your system to Internet (public mysql or running
openser) immediately after installation without customizing it.
2) before installation, you may set different default username and
password via environment variables (check the beginning of opensermysql
script).
this is a typical behaviour of all software - to let an initial way of
access not properly configured, they may turn indeed in security holes:
mysqld installs by default user root with no passwd
apache start by default listening on all interface (including the
public ones).
etc....
regards,
bogdan
Mark Kent wrote:
>Hello,
>
>I just noticed that openser_mysql.sh creates the username "admin" with
>the default openserrw password in the subscriber table.
>
>This seems to introduce a security hole where a well-known username
>and password pair would exist on most virgin openser installations.
>
>Is there a good reason to have that entry in the "subscriber" table?
>Is it used anywhere?
>
>Now I know that we're supposed to change the mysql access passwords,
>but I have to admit that I didn't think to change a password actually
>emebedded IN the data of the mysql database.
>
>Did I miss a critical security note somewhere alerting me to this
>default user?
>
>Thanks,
>-mark
>
>_______________________________________________
>Users mailing list
>Users at openser.org
>http://openser.org/cgi-bin/mailman/listinfo/users
>
>
>
More information about the Users
mailing list