[Users] user 'admin' and mysql

Bogdan-Andrei Iancu bogdan at voice-system.ro
Tue Jun 20 20:01:18 CEST 2006


Hi Mark,

by default, the installation has to provide a way to access it - a 
starting user. It's not security hole because:
    1) do not open your system to Internet (public mysql or running 
openser) immediately after installation without customizing it.
    2) before installation, you may set different default username and 
password via environment variables (check the beginning of opensermysql 
script).

this is a typical behaviour of all software - to let an initial way of 
access not properly configured, they may turn indeed in security holes:
    mysqld installs by default user root with no passwd
    apache start by default listening on all interface (including the 
public ones).
    etc....

regards,
bogdan

Mark Kent wrote:

>Hello,
>
>I just noticed that openser_mysql.sh creates the username "admin" with
>the default openserrw password in the subscriber table.
>
>This seems to introduce a security hole where a well-known username
>and password pair would exist on most virgin openser installations.
>
>Is there a good reason to have that entry in the "subscriber" table?
>Is it used anywhere?
>
>Now I know that we're supposed to change the mysql access passwords,
>but I have to admit that I didn't think to change a password actually
>emebedded IN the data of the mysql database.
>
>Did I miss a critical security note somewhere alerting me to this 
>default user?
>
>Thanks,
>-mark
>
>_______________________________________________
>Users mailing list
>Users at openser.org
>http://openser.org/cgi-bin/mailman/listinfo/users
>
>  
>





More information about the Users mailing list