Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Vesta leaves mysql with blank password?
New on LowEndTalk? Please Register and read our Community Rules.

Vesta leaves mysql with blank password?

squibssquibs Member

Just installed Vesta on a clean centos install and I note I can do "mysql -u root" and get into mysql without a password. It doesn't do mysql_secure_installation. What's up with that?

It is buried in the installation logging that you need to set a password, but other panel and LEBscript installers I've seen automatically run it, and I can't think of a good reason not to.

¦̵̱ ̵̱ ̵̱ ̵̱ ̵̱(̢ ̡͇̅└͇̅┘͇̅ (▤8כ−◦

Comments

  • LinkkingLinkking Member
    edited June 2014

    Mine is ok, you can change it @ /usr/local/vesta/conf/mysql.conf

  • squibssquibs Member

    @Linkking said:
    Mine is ok, you can change it @ /usr/local/vesta/conf/mysql.conf

    I can get to mysql from the command line as root without a password - can you? I also have the conf file with a password in it, but it doesn't seem to be in effect. This is he second time I installed vesta, and now I remember why I uninstalled it first time.

    Found this dump of the install process here: http://tutorialspots.com/vesta-control-panel-installation-1233.html

    2014-02-05 23:08:21 (142 MB/s) - `/etc/my.cnf' saved [410/410]
    
    Initializing MySQL database:  Installing MySQL system tables...
    OK
    Filling help tables...
    OK
    
    To start mysqld at boot time you have to copy
    support-files/mysql.server to the right place for your system
    
    PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
    To do so, start the server, then issue the following commands:
    
    /usr/bin/mysqladmin -u root password 'new-password'
    /usr/bin/mysqladmin -u root -h downappz.com password 'new-password'
    
    Alternatively you can run:
    /usr/bin/mysql_secure_installation**
    

    ¦̵̱ ̵̱ ̵̱ ̵̱ ̵̱(̢ ̡͇̅└͇̅┘͇̅ (▤8כ−◦

  • Your best bet is to post on the Vesta forum.

  • squibssquibs Member

    I think I'll just avoid Vesta.

    ¦̵̱ ̵̱ ̵̱ ̵̱ ̵̱(̢ ̡͇̅└͇̅┘͇̅ (▤8כ−◦

  • DavidxDavidx Member

    @squibs said:
    I think I'll just avoid Vesta.

    Open a thread? It is a younger project, you'd help them improve instead of cowering away.

  • AmitzAmitz Member

    Well, but leaving the MySQL root account password-less is more than negligent for a Control Panel project, no matter whether young or mature. Simple things like this should not happen...

    For those who care:
    You can now find me at https://talk.lowendspirit.com or https://www.hostballs.com

  • DavidxDavidx Member

    @Amitz said:
    Well, but leaving the MySQL root account password-less is more than negligent for a Control Panel project, no matter whether young or mature. Simple things like this should not happen...

    Some things get overlooked. Even by the most intelligent people. Apple Maps, the Medicare website is a fail, The Pentium Math bug http://en.wikipedia.org/wiki/Pentium_FDIV_bug, Y2K. People screw up.

  • jarjar Provider

    Are you logged in as root in SSH? If so, is there a particular reason that the root user having root access bothers you?

    Did it create a /root/.my.cnf file?

  • squibssquibs Member

    @David_P said:
    Open a thread? It is a younger project, you'd help them improve instead of cowering away.

    I'm not cowering - I just want something I can use that closes the doors. I consider that mysql omission a fundamental flaw, and I have no confidence in the project now.

    @Jar said:
    Are you logged in as root in SSH? If so, is there a particular reason that the root user having root access bothers you?

    Do you need to be logged in as root to do "mysql -u root"?

    ¦̵̱ ̵̱ ̵̱ ̵̱ ̵̱(̢ ̡͇̅└͇̅┘͇̅ (▤8כ−◦

  • jarjar Provider

    @squibs said:
    Do you need to be logged in as root to do "mysql -u root"?

    Depends on the configuration. If a password is defined in ~/.my.cnf then you wouldn't need to pass a password to it.

  • WilliamWilliam Member, Provider

    This is normal.

    You can login because Vesta writes the password to the my.cnf file in the home directory of root:

    [email protected]:~# cat .my.cnf 
    [client]
    password='XXXXXXXXXXXXXXXX'
    

    Vesta and Vestas MySQL is perfectly safe.

  • DavidxDavidx Member

    @Jar said:
    Are you logged in as root in SSH? If so, is there a particular reason that the root user having root access bothers you?

    Did it create a /root/.my.cnf file?

    You changed your name!

    Thanked by 1jar
  • squibssquibs Member

    @William said:
    This is normal.

    You can login because Vesta writes the password to the my.cnf file in the home directory of root:

    > [email protected]:~# cat .my.cnf 
    > [client]
    > password='XXXXXXXXXXXXXXXX'
    > 

    Vesta and Vestas MySQL is perfectly safe.

    Excellent. Thanks for the explanation. Makes sense. Now I'm happy to revisit Vesta.

    ¦̵̱ ̵̱ ̵̱ ̵̱ ̵̱(̢ ̡͇̅└͇̅┘͇̅ (▤8כ−◦

  • AmitzAmitz Member

    Why?

    For those who care:
    You can now find me at https://talk.lowendspirit.com or https://www.hostballs.com

  • jarjar Provider
    edited June 2014

    @Amitz said:
    Why?

    Why what?

    To be clear on this, there is no harm in doing this, only benefits. On a properly secured system, if a user can access /root they can just as easily restart MySQL with skip grants. This prevents the user from having to retype the password, but it loads from ~/.my.cnf so unless you have the ability to read a file in someone else's user directory you are as secure as the authentication/permissions for the unix account for which you are logged in.

    Keep in mind cPanel does this, pretty sure Plesk as well. I configure this on all of my servers.

    Also make sure to remember to ask questions and research before causing a vulnerability scare, it's just good form ;)

    As for:

    squibs said: Found this dump of the install process here

    This is always stated on the first start of a MySQL installation and you cannot run mysql_secure_installation without having started MySQL.

    Thanked by 1squibs
  • squibssquibs Member

    @Jar said:
    This is always stated on the first start of a MySQL installation and you cannot run mysql_secure_installation without having started MySQL.

    And again, I learn.

    ¦̵̱ ̵̱ ̵̱ ̵̱ ̵̱(̢ ̡͇̅└͇̅┘͇̅ (▤8כ−◦

  • AmitzAmitz Member

    @Jar: I meant the name change... ;)

    Thanked by 1netomx

    For those who care:
    You can now find me at https://talk.lowendspirit.com or https://www.hostballs.com

  • jarjar Provider

    @Amitz said:
    Jar: I meant the name change... ;)

    Ah, explained in the cest pit ;)

    Thanked by 1Amitz
Sign In or Register to comment.