[development] Drupal 5.x Installation is Bad!

Amr Mostafa amr.mostafa at gmail.com
Wed Oct 11 07:52:50 UTC 2006 

Drupal 4.7.3 doesn't create tables for you.

Drupal needs user/pass for a user who only has access to Drupal's own
database. On other hand, superuser has access to every database on
your mysql/pgsql server.

It's not really hard to have an installer that does everything for
you, but you will need to give it ultimate privilege which is bad
security wise. Drupal tries to balance things.

On 10/11/06, Drupal Indonesia <support at drupal-id.com> wrote:
>
>
> Now, how can Drupal 4.7.3 create tabel for me if  the db username has no rights to create table? Isn't that a security  risk?
> Or just remove the db username (with create DB  rights) after fresh installation. Simply.
>
>
>
> ----- Original Message -----
> From:    Amr    Mostafa
> To: development at drupal.org
> Sent: Wednesday, October 11, 2006 3:11    PM
> Subject: Re: [development] Drupal 5.x    Installation is Bad!
>
> Technically, it's impossible for installer to create database    for you UNLESS you provide it with username and password of the superuser    (e.g. root).
> After installation, it stores the superuser name and password    in a config file to remember them later whenever it wants to connect to the    database. This is bad security, it leaves your superuser information out    somewhere. Due to a security bug in ANY application running under apache,    someone could be able to read your config file and steal your superuser    information.
>
> Drupal strives for ease of use but without affecting    security.
>
>
> On 10/11/06, Drupal    Indonesia <support at drupal-id.com    > wrote:
> > Hi,
> >
> > I      just try 5.x CVS version and very sad that the installation procedure can't
> > create the Database for me! Unlike Joomla, this is very sad.
> > Does      core dev have plan to make it better    (easier)?
> >
> > Regards.
> >
> >
>
>
>
>    ________________________________

>
> No virus found in this incoming message.
> Checked by AVG Free    Edition.
> Version: 7.1.408 / Virus Database: 268.13.2/471 - Release Date:    10/10/2006
>
>
>

More information about the development mailing list