View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0018051 | mantisbt | documentation | public | 2015-01-22 04:34 | 2015-03-15 19:58 |
Reporter | foXen | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.3.0-beta.1 | ||||
Target Version | 1.3.0-beta.2 | Fixed in Version | 1.3.0-beta.2 | ||
Summary | 0018051: config_inc.php.sample should reflect the defaults (db_username and db_type) | ||||
Description | Current config_inc.php.sample states while I think it should be: | ||||
Tags | No tags attached. | ||||
This is somewhat academical, because I believe most users would simply use the config_inc.php file generated by the installer (or copy/paste its contents).
I disagree. This is supposed to be an example, and I don't think it's good from a security best practices point of view, to indirectly promote the use of default DB accounts, especially one with high privileges such as root in MySQL, for web applications. In fact, taking this one step further, we should probably consider changing this in config_defaults_inc.php.
This one makes sense, will change. |
|
Acknowledge. :) Change this in config_defaults_inc.php to 'mantisdbuser' and your absolut right concern on security as well as my initial intent are met. My 'solution' just took into account, that current install proposes 'root' if no config-file is given. |
|