Delete mysql users should confirm! root accounts should be undeletable, unmodifiable.

12 posts / 0 new
Last post
#1 Fri, 08/12/2011 - 11:38
TomSwirly

Delete mysql users should confirm! root accounts should be undeletable, unmodifiable.

Hello!

Let me start by saying that I didn't actually delete anything I didn't want to delete - because I'm ultra-paranoid. :-)

And overall, my experience with Webmin/Virtualmin has been excellent - indeed, I opened this account weeks ago, and several times started to prepare questions for the forum but each time discarded them as I found the answer here. I had to move almost 100 domains for my non-profit webhosting from an end-of-life hosting to Rackspace and I shudder to think what it would have been like without *min...

But here's my little complaint.

I carefully selected a lot of mysql users I wanted to delete and then pressed Delete Selected - and they were instantly deleted, no recourse, scaring me enough I yelled "Whoa!" and frightened my wife. I had checked the list twice, it was right - but I expected an "Are you sure?"

The next guy might not be as careful as I am. Worse, it seems to me that you could delete the root account very easily that way... it'd be very easy to click Select all and then Delete Selected if your hand slipped, they're so close!

Which brings me to another game-ender, which is that the root accounts are unprotected. You could delete the root account, which I didn't do, or you could set the root account not to have privileges, which I did do - and either of these disables your Webmin/Virtualmin control panels!

Fixing a deleted root account is fairly easy: http://www.servaxnet.com/blog/2010/07/10/restoring-accidently-deleted-ro... (on Webmin, you need to finally go back to the sql users page and add a couple of perms not added on that page) - and you can fix root perms that way too, as I did. But it's scary and a lot of people aren't going to be comfortable editing config files and databases live.

I can imagine weird reasons for wanting to change your root accounts - but I also think that if you're smart enough to really have these reasons, you're smart enough to change the root accounts from the command line. So IMHO you should protect the root accounts and make them uneditable - perhaps even unselectable...?

Thanks again for a super-excellent program that has made my life and the lives of a lot of people who depend on my server much happier!

Fri, 08/12/2011 - 11:48
Locutus

I'd hate to see root users being unmodifyable in Webmin... By default, root is only allowed to log in from localhost, which often is the first thing I need to change in a new MySQL installation, if I need to do remote database editing. Making this change on the command line is possible of course, but tiresome and error-prone. :)

I certainly agree about a confirmation request though when deleting multiple users or doing anything with the root users.

Fri, 08/12/2011 - 12:07
TomSwirly

Isn't the correct way to accomplish what you're talking about to create another user where User='root' and Host='%' or Host='yourSpecificHost.com' ?

I'm only talking about protecting root/localhost and root/127.0.0.1 - i.e. the two accounts you get "out of the box" - not other accounts you create later.

In particular, I'll bet that deleting one of those two will cut off your access to Webmin - I haven't tried the experiment to see which one it is, of course. :-D

I think branch-sawing should be forbidden as a hard and fast rule - if you are sitting on the branch!

Fri, 08/12/2011 - 12:28
Locutus

I usually don't add another "root" user entry, but just modify the 127.0.0.1 one to "%".

Why should deleting a MySQL user, even if root, cut off access to Webmin? Webmin operates independently from MySQL.

Actually, as a "safety net", the developers might ponder integrating this "rescue method" with the skip_privilege_tables into Webmin.

For making experiments, I recommend using virtual machines specifically set up for the purpose. Can easily be snapshotted and restored in case of "unforeseen consequences", or reinstalled if nuked too badly.

Fri, 08/12/2011 - 12:37
andreychek

I asked Jamie about adding a confirmation to that particular screen, we'll see if that might be a possibility :-)

-Eric

Fri, 08/12/2011 - 14:28
andreychek

Okay, the next version of Webmin will now prompt for confirmation before deleting database users.

It will still allow you to delete the root MySQL user... that's not something we'd suggest doing, but Webmin will give you enough rope to hang yourself with :-)

So, you can delete the root user, but at least it'll prompt you before doing so :-)

-Eric

Fri, 08/12/2011 - 15:09
Locutus

That's right... You operate Webmin as root (talking about the Linux root now, not MySQL), and as root, you have great power and great responsibility. :) root is not to be patronized.

Also, there are shell commands with which you can do much much more damage (without confirmation request) than deleting a database root user. :)

Fri, 08/12/2011 - 19:14
TomSwirly

The confirm is the most important point, and it is teh greatness that it is in an upcoming version of the OS.

Let's specifically identify what I'm talking about. There are two root users, one with Host=127.0.0.1, and one with Host=localhost. Now, deleting one of these two, I don't know which, will break Webmin and make it impossible for you to unbreak it. Let's call this the "webmin root user" (it might be that you need both of them, in which case it's a pair of users. :-) ).

I'm still not sure you've really made a case for why you should be allowed to delete the webmin-root user from Webmin (and thus break Webmin) - I still can't think of one plausible scenario that would require it, and the command line analogy isn't accurate, because Webmin is at least partly to simplify things for people who might not be comfortable at the command line.

I write a lot of tools, and while I don't think you should make dull tools so you can't cut yourself, I do believe in preventing things that couldn't possible turn out well.

Anyway, this a lot of soup from just one oyster, and the "prompt for confirmation" is the big thing.

Sat, 08/13/2011 - 04:42 (Reply to #8)
Locutus

Let's specifically identify what I'm talking about. There are two root users, one with Host=127.0.0.1, and one with Host=localhost. Now, deleting one of these two, I don't know which, will break Webmin and make it impossible for you to unbreak it.

I still don't get what you're talking about here, sorry. As I pointed out, Webmin does not use MySQL in any way for its internal data, so deleting any MySQL user will have no influence on Webmin's operation and will not be able to "break it".

Of course the Webmin MySQL module itself will stop functioning when it cannot log in to MySQL anymore. But the whole rest of it will be pretty unimpressed by that. Remember, Webmin is self-contained and works just fine without MySQL (or any other hosting services for that matter) installed at all, so it definitely does not depend on it for any of its functionality (obviously aside from the MySQL module itself).

And as we said, a root-operated tool, any root-operated tool, will give you functions to break your system. That's what the root user is for. He's allowed to do everything, but should know what the consequences of his actions are. Just go to the shell and play around with hdparm or mdadm or fdisk or dd. Supply them the "proper" commands, and your whole system is gone, instantly and without any confirmation.

And the analogy with the shell is just fine. Webmin is - very basically - a "graphical frontend" for manipulating config files and carrying out administrative commands in a more comfortable way. It does not take away the responsibility from root to know what he's doing, and it certainly is not meant to "take you by the hand" and teach you what is dangerous, that the cooktop is hot, and what root should do and what they shouldn't.

So, if you don't want Webmin to be able to break your system, create another user for it and limit their access rights. If you login as root, you have root powers.

Conclusion: When the Webmin people add that confirmation request, it will be all okay. root is not to be patronized by denying them any action, even if it breaks the system. Who knows, maybe deleting the MySQL root user is what the operator intends to do, for whatever reason! So who's Webmin to decide what root can do and what they can't do?

Sat, 08/13/2011 - 18:11
TomSwirly

As I pointed out, Webmin does not use MySQL in any way for its internal data, so deleting any MySQL user will have no influence on Webmin's operation and will not be able to "break it".

This claim does not appear to be true.

If you remove privilege from or delete the root accounts, mySQL administration within Webmin fail to work - try it yourself - and you certainly can't undo that operation you just did.

And as we said, a root-operated tool, any root-operated tool, will give you functions to break your system.

Yes, I am very well aware of this.

Who knows, maybe deleting the MySQL root user is what the operator intends to do, for whatever reason!

Well, I was unable to come up with even one vaguely plausible reason for doing so.

root is not to be patronized by denying them any action, even if it breaks the system.

They still have the command line - it's a simple one-liner in SQL, you could even write it into the documentation of that page. Webmin/Virtualmin is powerful, but there are still all sorts of things that it can't do which the command line can.

I permanently have an emacs session open as root on my server (and I wouldn't recommend doing that, but as I said, I'm really careful) so I'm certainly not against power.

At the same time, as an engineer I feel it's important to examine actions that are not reversible, particular when they offer no discernable value and can easily be accomplished in other ways if needed for some unforeseen reason!

Sat, 08/13/2011 - 18:26
Locutus

If you remove privilege from or delete the root accounts, mySQL administration within Webmin fail to work - try it yourself - and you certainly can't undo that operation you just did.

You should read my posts in their entirety. I said that of course the MySQL module will stop working if you delete the root user, since Webmin cannot log in to MySQL anymore then. Which is your own fault if you work as root. The rest of Webmin will stay unaffected.

As for the rest of your post: I guess we can conclude this discussion. You have your opinion, I have mine. If I want to do something that some people might consider implausible, I usually have my reasons for it anyway. Webmin should warn me, so I can verify my command and stop it in case I made a mistake, but if I confirm then carry out my implausible command anyway. I won't be patronized. (And it would also seem that the Webmin developers share that opinion, seeing how they don't restrict root actions.)

By the way, I also have root shells open most of the time. I am careful as well, but I also have good backups. So what the heck.

Sun, 08/14/2011 - 10:21
TomSwirly

Sorry for intruding, have a nice day.

Topic locked