Hi Mark,
by default, the installation has to provide a way to access it - a starting user. It's not security hole because: 1) do not open your system to Internet (public mysql or running openser) immediately after installation without customizing it. 2) before installation, you may set different default username and password via environment variables (check the beginning of opensermysql script).
this is a typical behaviour of all software - to let an initial way of access not properly configured, they may turn indeed in security holes: mysqld installs by default user root with no passwd apache start by default listening on all interface (including the public ones). etc....
regards, bogdan
Mark Kent wrote:
Hello,
I just noticed that openser_mysql.sh creates the username "admin" with the default openserrw password in the subscriber table.
This seems to introduce a security hole where a well-known username and password pair would exist on most virgin openser installations.
Is there a good reason to have that entry in the "subscriber" table? Is it used anywhere?
Now I know that we're supposed to change the mysql access passwords, but I have to admit that I didn't think to change a password actually emebedded IN the data of the mysql database.
Did I miss a critical security note somewhere alerting me to this default user?
Thanks, -mark
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users