[Mediawiki-l] You should probably change your database password, since you just posted it for the world to see.
Daniel Friesen
lists at nadir-seen-fire.com
Tue May 24 07:17:31 UTC 2011
On 11-05-23 09:20 AM, jidanni at jidanni.org wrote:
> You know, the current structure of how one sets up MediaWiki is just
> begging for trouble security wise,
>
> "You should probably change your database password, since you just posted it for the world to see."
> http://www.mediawiki.org/w/index.php?title=Manual_talk:Preventing_access#Dosn.27t_seem_to_work
>
> I mean I can't think of hardly any other components here on my Linux
> system that encourages one to toss passwords right into the same file
> with the rest of ones settings. It's like we're still at day one when
> the program was first baked.
- WordPress, Drupal, OSCommerce, etc... basically every php, perl,
etc... web software.
- php, if you configure mysql globally using defaults
- Postfix mysql integration
- Nagios and other server monitoring; For when storing things in the
database, and when you need to interact with a mysql server to monitor
stats, etc... (unless you go and add a user that doesn't require a
password; just don't tell me that's a valid solution based on the fact
there is no password in the config *rolls eyes*)
- PowerDNS' database storage
- Puppet, if you use storeconfigs with anything other than SQLite
- Apache, if you want to use MySQL based logging or auth
- Sphinx
Is this what the term 'Fallacy' would refer to?
Indeed there is even /etc/shadow etc.
> Yes, the idea is there are two levels of security for /etc files...
> That way when we send one in for repairs, we don't have to worry if our
> house keys are still in it somewhere, usually.
>
> Yes the user could easily include() the passwords from a separate file,
> and indeed I remember there was an Adim*.php.
>
> However putting the passwords in a separate file should be the default
> way mediawiki sets up, not something the user must do especially.
I leave this rhetoric to Domas' reply.
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
More information about the MediaWiki-l
mailing list