[development] Drupal 5.x Installation is Bad!
Amr Mostafa
amr.mostafa at gmail.com
Wed Oct 11 07:52:50 UTC 2006
Drupal 4.7.3 doesn't create tables for you.
Drupal needs user/pass for a user who only has access to Drupal's own
database. On other hand, superuser has access to every database on
your mysql/pgsql server.
It's not really hard to have an installer that does everything for
you, but you will need to give it ultimate privilege which is bad
security wise. Drupal tries to balance things.
On 10/11/06, Drupal Indonesia <support at drupal-id.com> wrote:
>
>
> Now, how can Drupal 4.7.3 create tabel for me if the db username has no rights to create table? Isn't that a security risk?
> Or just remove the db username (with create DB rights) after fresh installation. Simply.
>
>
>
> ----- Original Message -----
> From: Amr Mostafa
> To: development at drupal.org
> Sent: Wednesday, October 11, 2006 3:11 PM
> Subject: Re: [development] Drupal 5.x Installation is Bad!
>
> Technically, it's impossible for installer to create database for you UNLESS you provide it with username and password of the superuser (e.g. root).
> After installation, it stores the superuser name and password in a config file to remember them later whenever it wants to connect to the database. This is bad security, it leaves your superuser information out somewhere. Due to a security bug in ANY application running under apache, someone could be able to read your config file and steal your superuser information.
>
> Drupal strives for ease of use but without affecting security.
>
>
> On 10/11/06, Drupal Indonesia <support at drupal-id.com > wrote:
> > Hi,
> >
> > I just try 5.x CVS version and very sad that the installation procedure can't
> > create the Database for me! Unlike Joomla, this is very sad.
> > Does core dev have plan to make it better (easier)?
> >
> > Regards.
> >
> >
>
>
>
> ________________________________
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.408 / Virus Database: 268.13.2/471 - Release Date: 10/10/2006
>
>
>
More information about the development
mailing list