seafile user without password.

[shoeper]

Just had a look at phpmyadmin and found out there is a user seafile@% without password. See image from pma (second one is the "normal" user but what's the first one?):

It's no risk in my case but is this really wanted?

[freeplant]

@shoeper Can you confirm this problem in a newly installed Seafile server?

@lins05 Is this a problem with the MySQL script?

[shoeper]

I'll give it a try.

[lins05]

@freeplant I don't think it's created by the setup-mysql script. The only place where we create a db user is https://github.com/haiwen/seafile/blob/v4.0.3-server/scripts/setup-seafile-mysql.py#L594, and it creates a user on localhost, with explicit password.

[shoeper]

ok, couldn't give it a try again because virtual box didn't want to finish install.

But the user can't be from seafile. Checked any server version setup-seafile-mysql.sh back to 2.2 and I think I've installed v3.x initially on that server. Furthermore seafile did only create localhost users, no % users.

[shoeper]

just tested it with a newly setup virtual debian machine. There are 2 mysql users directly after setup (those stated at the top - one without password).

I' run ./setup-seafile-mysql.sh. server name: test servers ip: some local ip default ccnet port default seafile data root default seafile server port default seafile fileserver port 1 create new databases localhost def port root password: test name for seafile mysql user: seafile password test ccnet-db (default) seafile-db (default) seahub-db (default)

Summary:

edit: if mysql is publicly available then I can easily connect with seafile without password (with clients like heidisql).

[shoeper]

Furthermore db rights are granted to seafile user without password. Deleting the user results in a not working seafile installation - until I grant those rights on the seafile user with password.

[lins05]

@Sven: I'll check that soon.

On Fri, Jan 2, 2015 at 11:41 AM, Sven notifications@github.com wrote:

Furthermore db rights are granted to seafile user without password. Deleting the user results in a not working seafile installation - until I grant those rights on the seafile user with password.

— Reply to this email directly or view it on GitHub https://github.com/haiwen/seafile/issues/999#issuecomment-68506303.

[shoeper]

Maybe there is a wrong grant command leading to a new user with given rights (not sure if it is possible but could be) because the user without password has the permissions for the right tables - instead of the one with password.

[lins05]

yeah, I have fixed that https://github.com/haiwen/seafile/commit/146c46bc3d373180538b833d6fa4d0ec8d863418. I guess we'll release a new version soon with this fixed.

On Fri, Jan 2, 2015 at 11:18 PM, Sven notifications@github.com wrote:

Maybe there is a wrong grant command leading to a new user with given rights (not sure if it is possible but could be)

— Reply to this email directly or view it on GitHub https://github.com/haiwen/seafile/issues/999#issuecomment-68529110.

[shoeper]

You should also make and upgrade script to remove the user without password and grant permissions to the one with password.

[lins05]

Agreed.

On Fri, Jan 2, 2015 at 11:22 PM, Sven notifications@github.com wrote:

You should also make and upgrade script to remove the user without password and grant permissions to the one with password.

— Reply to this email directly or view it on GitHub https://github.com/haiwen/seafile/issues/999#issuecomment-68529369.

[shoeper]

update 4.0.4 is there, but no upgrade script fixing the bug for existing installations. I've already fixed it for me, but many people don't even know of this issue.

[freeplant]

People will run the upgrade script only in a minor or major upgrade. We will add the fix to "upgrade_4.0_4.1.sh"

[shoeper]

Ok. Am 07.01.2015 03:22 schrieb "Daniel Pan" notifications@github.com:

People will run the upgrade script only in a minor or major upgrade. We will add the fix to "upgrade_4.0_4.1.sh"

— Reply to this email directly or view it on GitHub https://github.com/haiwen/seafile/issues/999#issuecomment-68970114.