Access denied for user 'root'@'localhost' (using password: NO)

[Ted Mittelstaedt]

> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Technical
> Director
> Sent: Thursday, February 03, 2005 3:47 AM
> To: Ted Mittelstaedt
> Cc: Positive Negative; freebsd-questions at freebsd.org;
> Technical Director
> Subject: RE: Access denied for user 'root'@'localhost' (using password:
> NO)
>
>
>
> On Thu, 3 Feb 2005, Ted Mittelstaedt wrote:
>
> > Do you run php database driven apps on the same server as you use to
> > provide shell services?  I don't.  If the webserver is configured
> > right it won't allow remote clients to read the scripts, only execute
> > them.
>
> Ted,
>
> Shared hosting sites, in my experience anyways which I will
> grant doesn't
> mean much, is that your ftp access gives you:
>
> -rw-r--r-- {$your_name} {$web_group} somefile.php
>
> where {$web_group} is a common group that everyone belongs to and other
> is always readable just cause it's easier leaving the
> file/directory mask
> as is.
>

Yes I see.  I might also submit that the ISP dumb enough to give a
customer the root userID and password on the mysql server that
they are running on that shared server deserves what they get.

> Meaning that if you can cd to some other users dir you can
> read that file.
>
> As well, in the case of php at least, web use of php does not
> require the
> execute bit to be set at all, only the read bit.
>

Yes, that is a good point - but I wasn't referring to that though.
The webserver should know that if it's got a .php extension that
it's supposed to run the file, not give it out plaintext to some
remote bozo with a web browser.

> Again I speak for web use php scripts.
>

It is true that if you have a shared server setup with php, and you
are selling/giving/whatever customer access to php on this server,
that a customer foolish enough to have a php script setup world-readable
that has his database name and userID and password in it,
is basically allowing any other customer that has access to this
server, access to his database.  And that other customer through
ignorance
or malice could wipe out the first customers data.  Of course, this
doesen't compromise any other customers database on that mysql server
a we are presuming that the ISP has issued individual userID's and
passwords for each database to every customer.  (NOT the root password)

Speaking as an ISP I would say if this happened to one of our customers
I would pretty much have the attitude of "too bad, not our problem"
as this would have meant that the customer with the trashed database
would have not actually bothered to read the information packet we
gave to him when he first requested php access on his shared site.
I think most other ISPs would have the same attitude.  We're a nasty
bunch.

To me, "root at localhost" pretty much implied that the poster was
managing the mysql server.  I cannot imagine him having this
kind of access on a shared server.  (at least, not on one that was
run by any halfway competent ISP that is)

Actually as a point of fact about once a quarter I have a customer
e-mail me that he thinks that we must not have any security on our
shared webserver since he can do a cd ../ then ls -l and see everyone's
files.  (we give shell access on some of our shared webservers)  That
is the time I explain that it's really none of our business if a customer
chooses to exercise their right to NOT change the permissions bits
on their files.  That usually quiets the smart guy down
espically after I explain that he's quite obviously chosen not to
change the permissions bits on his own files as well. :-)

Ted