[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Saturday 27 August 2005 11:33 am, William Fidell wrote: > As the default password is blank anyone could access the database with > all the privileges available. Anyone could access THOSE databases, not all databases. > So yes I would set a root password. Any > application that requires you to use a set default or blank password is > a bit rubbish. Not true. It is done this way so that YOU can configure the other tables and databases (your own) to not be accessible to root. Let this login persist if you need to upgrade packages that use MySQL tables but also revoke all privileges for this user over other, more sensitive, tables. How else can the package manager install MySQL tables? Storing the root password in a file that the package manager can read is just as insecure as having no password at all! > Plus, I would make sure that any application, or websites, have their > own mysql user, limited to only the databases they that need. Otherwise > each application / web site would be able to trash any others. Then there is no problem with the blank root password for packages. MySQL does not recognise the name root as a root user outside the system - privileges to root do not override other settings. If someone has real system access, they can delete entire database files without using the root MySQL account. > I could of course misunderstood what you are saying, but having an open > root user or applications able to access / modify databases of each > other is asking for trouble. So limit the "root" user in MySQL - revoke access to your own tables and let it carry on installing tables required for packages. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
Attachment:
pgpoXOzcR8TFD.pgp
Description: PGP signature