> phpMyAdmin is a pretty slick piece of work but it's thorough enough that it's
> pointing out a fairly urgent problem.
>
> phpMyAdmin is telling me
>
> "Your configuration file contains settings (root with no password) that
> correspond to the default MySQL privileged account. Your MySQL server is
> running with this default, is open to intrusion, and you really should fix
> this security hole."
>
> This sounds like it is warning me about several things, none of them any good.
> 1) that the root MySQL account does not have a password
> 2) that phpMyAdmin is logged into MySQL as that passwordless root user
> 3) that anyone who wants to can log into my web server and really bugger
> things up.
All of these things...
How I generally set up MySQL is to create a dbadmin user with full priveleges.
The MySQL permissions are completely separate from the OS/filesystem ones so
this doesn't mean you lose any rights to the database. By default, MySQL
allows the root user to login without a password to allow you to set up
databases and users. Once this is done you generally disable the root login or
change the password.
>
> In Webmin I can see that the root user is indeed passwordless and I can give
> him a password. However, I can than no longer log in via phpMyAdmin. So I
> edited the password fields in config.inc.php to show (first) the hash of the
> password that Webmin showed me after encrypting it and (second try) the clear
> text of the password before encryption.
>
You'd want the documentation here:
http://www.phpmyadmin.net/documentation/
In particular, look at the Authentication options and verify that you have
them set up correctly. Also note that using an htaccess file is recommended.
You do *not* want to just disable the Index as I wrote in the other email (I
didn't know the context of your question then).
Though it is optional, you should create the phpmyadmin tables if you want the
full functionality. Check out the canned sql scripts that do this for you.
> I -want- to fix this hole but don't know how. phpMyAdmin looks to be a mighty
> useful tool, but I don't want to share admin priveleges with everybody on the
> planet.
>
> Solutions? Tips? Tutorials? Documentation segments to read? I'm not looking to
> be a MySQL consultant ... only to get this single instance of it running on
> my personal web server so I can serve variable content web pages.
>
> Bill
-- * The Digital Hermit http://www.digitalhermit.com * Unix and Linux Solutions kwan@digitalhermit.com ----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:09:37 EDT