New on LowEndTalk? Please Register and read our Community Rules.
Vesta leaves mysql with blank password?
Just installed Vesta on a clean centos install and I note I can do "mysql -u root" and get into mysql without a password. It doesn't do mysql_secure_installation. What's up with that?
It is buried in the installation logging that you need to set a password, but other panel and LEBscript installers I've seen automatically run it, and I can't think of a good reason not to.
¦̵̱ ̵̱ ̵̱ ̵̱ ̵̱(̢ ̡͇̅└͇̅┘͇̅ (▤8כ−◦
LowEndBox & LowEndTalk.
Comments
Mine is ok, you can change it @ /usr/local/vesta/conf/mysql.conf
I can get to mysql from the command line as root without a password - can you? I also have the conf file with a password in it, but it doesn't seem to be in effect. This is he second time I installed vesta, and now I remember why I uninstalled it first time.
Found this dump of the install process here: http://tutorialspots.com/vesta-control-panel-installation-1233.html
¦̵̱ ̵̱ ̵̱ ̵̱ ̵̱(̢ ̡͇̅└͇̅┘͇̅ (▤8כ−◦
Your best bet is to post on the Vesta forum.
I think I'll just avoid Vesta.
¦̵̱ ̵̱ ̵̱ ̵̱ ̵̱(̢ ̡͇̅└͇̅┘͇̅ (▤8כ−◦
Open a thread? It is a younger project, you'd help them improve instead of cowering away.
Well, but leaving the MySQL root account password-less is more than negligent for a Control Panel project, no matter whether young or mature. Simple things like this should not happen...
For those who care:
You can now find me at https://talk.lowendspirit.com or https://www.hostballs.com
Some things get overlooked. Even by the most intelligent people. Apple Maps, the Medicare website is a fail, The Pentium Math bug http://en.wikipedia.org/wiki/Pentium_FDIV_bug, Y2K. People screw up.
Are you logged in as root in SSH? If so, is there a particular reason that the root user having root access bothers you?
Did it create a /root/.my.cnf file?
https://mxroute.blackfriday/
I'm not cowering - I just want something I can use that closes the doors. I consider that mysql omission a fundamental flaw, and I have no confidence in the project now.
Do you need to be logged in as root to do "mysql -u root"?
¦̵̱ ̵̱ ̵̱ ̵̱ ̵̱(̢ ̡͇̅└͇̅┘͇̅ (▤8כ−◦
Depends on the configuration. If a password is defined in ~/.my.cnf then you wouldn't need to pass a password to it.
https://mxroute.blackfriday/
This is normal.
You can login because Vesta writes the password to the my.cnf file in the home directory of root:
Vesta and Vestas MySQL is perfectly safe.
IP6.IM
You changed your name!
Excellent. Thanks for the explanation. Makes sense. Now I'm happy to revisit Vesta.
¦̵̱ ̵̱ ̵̱ ̵̱ ̵̱(̢ ̡͇̅└͇̅┘͇̅ (▤8כ−◦
Why?
For those who care:
You can now find me at https://talk.lowendspirit.com or https://www.hostballs.com
Why what?
To be clear on this, there is no harm in doing this, only benefits. On a properly secured system, if a user can access /root they can just as easily restart MySQL with skip grants. This prevents the user from having to retype the password, but it loads from ~/.my.cnf so unless you have the ability to read a file in someone else's user directory you are as secure as the authentication/permissions for the unix account for which you are logged in.
Keep in mind cPanel does this, pretty sure Plesk as well. I configure this on all of my servers.
Also make sure to remember to ask questions and research before causing a vulnerability scare, it's just good form
As for:
This is always stated on the first start of a MySQL installation and you cannot run mysql_secure_installation without having started MySQL.
https://mxroute.blackfriday/
And again, I learn.
¦̵̱ ̵̱ ̵̱ ̵̱ ̵̱(̢ ̡͇̅└͇̅┘͇̅ (▤8כ−◦
@Jar: I meant the name change...
For those who care:
You can now find me at https://talk.lowendspirit.com or https://www.hostballs.com
Ah, explained in the cest pit
https://mxroute.blackfriday/