[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Re: phpMyAdmin multi-user
- Subject: Re: [cobalt-users] Re: phpMyAdmin multi-user
- From: Brent Sims <bs@xxxxxxxxxxx>
- Date: Fri Aug 31 11:00:05 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Fri, 31 Aug 2001, Steve Werby wrote:
} have added "through phpMyAdmin" to the end of my statement. I never meant
} to suggest that following my sugggestion would prevent access through other
} software.
Hi Steve,
Therein, perhaps, lies what's put us at odds. You were
speaking specifically of phpmyadmin and I was covering a bit more
ground.
} Care to share how to find the info. you are referring to?
The full Unix path to the parent directory of the databases
is listed on one of the information screens (I've removed the
installation so you'll have to look). On the vast majority of MySQL
installations I've seen a simple ls /path/to/mysql is all that's
needed from there.
} that access to the list of DBs couldn't be achieved through other means. In
Indeed you didn't. I just wanted to make sure that nobody
else thought that you did. Nevertheless, please accept my apology as
you obviously were not making the blanket statment that I thought
you were. I tend to get a bit tight in matters such as this...
} likely take a very long time. As such I see little risk in anyone knowing
} the names of the databases on a server. Though one might prefer the
} database names not to be known, what is the harm if they are known? Perhaps
} users can find out the names of your other hosted sites if you name your
} databases after them, but you can name the databases 'rybcekpd' if you want.
} If this truely is a concern a server admin should do the following (among
} other things):
I can't agree with you more. Strong passwords will indeed
keep all but the most determined cracker at bay. While I myself have
been known to indulge in a bit of security through obscurity, not
going to the effort of blocking viewing of the database names on an
installation which is protected by a strong password can very well
provide perhaps even a higher level of security through obscurity as
a honey pot of sorts.
While I myself run a pretty tight ship I try to focus on
what's worth doing rather than what might pay off if I get really
lucky.
} Woah there, Brent! We're all entitled to an opinion, but I consider that
} unfounded speculation. Your perception was that my comments suggested a
} false sense of security and my perception is that your comments suggest the
} opposite.
I think that neither of us explained our thoughts in enough
detail for the other. But there is validity in that comment. PHP can
grab other users config files if not configured properly. Again, I
was not looking at an installation which was done by the system
admin, but rather what a user could do with their own installation
of phpmyadmin. A phpmyadmin installation that contains the root
mysql password in the config file could easily put that mysql
installation at risk of being exploited by a user who knows their
way around PHP.
} I don't maintain that I'm all-knowing.
When I was twenty I was sure I knew everything. Now I'm 50
and I'm pretty sure I don't know much about anything. I do, however,
know that my gorgous wife made my favorite dinner out of guilt -
the only time she cooks is when she's wanting to take advantage
of me... her and the kids are going somewhere for the weekend, I
suspect. So I think it's time for me to bail out so I can enjoy one
of those wonderful "we'll be flat broke by the time I get back"
dinners that she does so very well.
Peace be with you,
Brent Sims
WebOkay Internet Services, LLC
http://www.WebOkay.net
mailto: Brent@xxxxxxxxxxx
(719) 595-1427 (Voice/Fax)