New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add warning for default user/password usage #12603

Closed
madhuracj opened this Issue Sep 30, 2016 · 6 comments

Comments

Projects
None yet
5 participants
@madhuracj
Member

madhuracj commented Sep 30, 2016

As suggested by Emanuel Bronshtein,

Don’t use the controluser ‘pma’ if it does not yet exist and don’t use ‘pmapass’ as password.
consider testing if pma:pmapass is used, and warn about it?

@ibennetch

This comment has been minimized.

Member

ibennetch commented Jun 29, 2018

For this one, my opinion is that we can permit logging in but should show a warning on the main page, similar to the way we warn the user if blowfish_secret is too short.

image

I'm undecided on whether we should have a configuration directive to bypass this test; I tend to think that's just adding clutter to the already-too-long list of configuration directives, but on the other hand my testing server actually has username pma and password pmapass and I don't want to be warned. I suppose I could just change the password... ;-)

@williamdes

This comment has been minimized.

Member

williamdes commented Jun 29, 2018

Is it normal that the following warning disappeared somewhere between 4.5.1 and 4.7.7 and in newer versions ?
I know this is maybe not the right place to post this message ...

4.5.1

You are connected as 'root' with no password, which corresponds to the default MySQL privileged account. Your MySQL server is running with this default, is open to intrusion, and you really should fix this security hole by setting a password for user 'root'.

@nulll-pointer

This comment has been minimized.

Contributor

nulll-pointer commented Jun 30, 2018

@williamdes, that is exactly what I've been thinking, maybe we can add the warning for pma:pmapass in a similar way.

@ibennetch

This comment has been minimized.

Member

ibennetch commented Jun 30, 2018

@williamdes That was removed starting in version 4.6.0, because of #11708. With the introduction of $cfg['Servers'][$i]['AllowNoPassword'] , it was decided that since the user had to intentionally allow no password logins, they therefore didn't need to be warned.

@ibennetch

This comment has been minimized.

Member

ibennetch commented Jun 30, 2018

@nulll-pointer Sounds good to me.

@ibennetch ibennetch added this to the 5.0.0 milestone Aug 6, 2018

@ibennetch ibennetch self-assigned this Aug 6, 2018

@ibennetch

This comment has been minimized.

Member

ibennetch commented Aug 6, 2018

Implemented with #14443, so this will become a part of version 5.0

@ibennetch ibennetch closed this Aug 6, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment