http://isc.sans.org/diary.php?date=2005-01-27
A bot that infects installations of MySQL on Windows is sweeping around today.
This usually isn't a problem for unix boxes because they can tell MySQL not to listen to the network, and connect to it with a domain socket from their Perl web application or whatever.
Since it's not possible to run MySQL on Windows without having it listen to the network, if you are going to run it on there for development purposes, please, please, PLEASE run it as an unprivledged user, and set the DBO password (root) to something other than a blank password.
Liar. This isn't applicable to me at all. :P
> Since it's not possible to run MySQL on Windows without having it listen to the network
what
Im not quite sure just how many people here are running a MySQL server on Windows.. I doubt its very low.
Anyway, fools running Windows as a server without a firewall of some description deserves trojans etc for leaving there box so damn open.
It's possible to run a patched windows machine unfirewalled just fine, although the added protection never hurt anyone.
What's up with RPC services listening to the world though? And you can't turn that feature off AFAIK. Braindead decision if ever I saw one...
>>2
Sure it is. You get to sit back and feel smug.
if you run without a password for root you deserve it.
>>8
Yeah, that's one hell of a 'kick me' sign.
But hang on, windows will let you get away with the Administrator's password being blank or stupidly easy, right?
What about UNIX?
Depends. I doubt any modern version will allow you to do such a thing without forcing the issue.
10>>
In every unix OS that I've tried, the /bin/passwd command running as root never questions what you enter for any user... including a blank password.
Usually if you have a PAM module installed that does password quality checking, there is a module above it in the stack called something like pam_rootok.so which prevents it from second-guessing you. Other OSs like FreeBSD might warn you, but not stop you.
Yet another reason to not run as root all the goddamned time.
OS X does not have a root account by default. If you need to do something with root privileges, you can just use sudo.
I recall that in my Linux class, in which we used Red Hat, I had to practically make up a word to use as a password because it refused to let me use any of my "old" passwords.
It does have a root account, just not enabled. You can enable it in the user accounts settings.
Um, no, you can create it in NetInfo Manager. And by "enabling" it, you create it, so it doesn't have one in the first place.
15>>
No. It's just locked by default. Try running this in a terminal window on a fresh install...
nidump passwd . | grep root
You should see a "*". This means the account is locked... you can't log into it or use su to change to it. You can't even run passwd root because you can run passwd AS root, so it would ask you for the old one first :-)
You use netinfo manager to set the password to something "real".
Also, note that certain OSX processes like the page flush daemon and init are running as root. Although if you do a ps -aux it probably just says user "0" and not root.
Hmm... Okay, I guess I stand corrected.
So... how does Mac enable the root password? If you're not running as root, and root is disabled, there must be an intentional hole somewhere, at least until it's enabled.
Or have I missed something?
sudo su -
passwd
Oops, that should've been passwd root (kind of weird, I think, and different from Linux). And running passwd as root never asks you for the old one, at least on any system I've seen.
If that's true, then root was never really disabled in the first place. Or have I missed something?
I wouldn't call it "disabled". It exists and it always has in OS X- I don't believe a Unix system could run without one (specifically a UID=0 account, though the name "root" is pretty much a requirement due to a lot of legacy).
Apple just doesn't set the password for it (note: this is not the same as a blank password ahem*Microsoft*cough), and they don't draw much attention to it.
>>19: >>21 may work, but the way Apple (and everyone else) tells you to do it is: 1. Start up /Applications/Utilities/NetInfo Manager (a rather esoteric little utility).
2. Select "Authenticate" from the "Security" menu and type in your password.
3. Select "Enable Root User" from the "Security" menu.
4. Enter a new password for the root account when prompted.
Of course, it should be emphasized that 99% of Mac users won't need to do this. I've installed and am running MySQL, a new PHP and Apache installation, and other geeky stuff just fine without a root account.