Mysql Security in Kloxo-MR

[prgs1971]

For what seems to me, but i can be wrong, the Kloxo_MR setup script, that we run after installation, don't execute :

Code: [Select]

[root@server]# mysql_secure_installation
Can any body confirm this?

[MRatWork]

What you mean?. Did you try running 'mysql_secure_installation'?.

[prgs1971]

Yes i have run it with success.

Code: [Select]

[root@server]# mysql_secure_installation
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...



All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!


[root@server]#

[MRatWork]

When you set root password manually it's possible problem with certain parts of Kloxo-MR (usually webmail). Need running 'sh /script/reset-mysql-root-password YOURPASSWORDHERE'.

[prgs1971]

Before i run "mysql_secure_installation" I have run this script as advised in Kloxo-MR admin, but in Kloxo-MR admin don't states that we need to input the password as plain text in front of the command as you have instructed now.

This is not a good practice to input the password in plain text with the command... this will be saved in command history.

[MRatWork]

Change 'YOURPASSWORDHERE' to other text like you want. That it!.

[prgs1971]

I know what you mean, but that is not secure...

Input a password in plain text ?

The script must ask for the password after is start running not like it is now, that you have to input the password in plain text...

[MRatWork]

I don't know what's you mean about 'password in plain text'.

[prgs1971]

Input password in plaint text means that the the password is visible(you can read the password) in the command line.

Code: [Select]

[root@server]# sh /script/reset-mysql-root-password YOURPASSWORDHERE
the secure mode will something like this:

Code: [Select]

[root@server]# sh /script/reset-mysql-root-password
Enter password:     // when you type the password here you will not see what you are typing
....
script execution
....
[root@server]#


[MRatWork]

It's still dangerous when you input password only you in front of your pc monitor?.

[prgs1971]

I say this because that command will be saved in the history of command line.

i will look for that file and erase the entry after i run this command.

[MRatWork]

Ok, 2 questions:

1. How to access 'command history' and who's able access this history?
2. Did you try mysql_secure_installation and reset-mysql-root-password and your input recorded by 'command history'?

[prgs1971]

To access command history you just need to use your up and down arrow keys or look for the content of the file ~/.bash_history

i run

Code: [Select]

[root@server]# mysql_secure_installation
and after i run

Code: [Select]

[root@server]# reset-mysql-root-password YOURPASSWORDHERE

now i am able to see the password by access to the last inputs in the command line, using the arrow key "up"

to see the password in the file ~/.bash_history i need to exit from root and login again.

Code: [Select]

[root@server]# exit
[root@server]# su -
[root@server]# vim ~/.bash_history
Now i can confirm that the password is visible in this file and i erase this line from the file

After i close and save the file i have to exit from root and login again to confirm that reset-mysql-root-password YOURPASSWORDHERE is not accessible anymore from the command line history by using the arrow key "up" to walk in the last inputs we have done in the command line.

OK.. I confess, I am paranoid about security  8-)

[MRatWork]

I am not change to how to script work because I am not paranoid. I am consern for security but not until paranoid.

Sorry.

[MRatWork]

If you not select 'mod_php' (already remove from Kloxo-MR) and only you (as root/admin) able access to ssh, no reason to worry other people able access to bash history (because impossible).