Installation fails with remote database via IP

[ait]

Hi,

Until now, I always installed mantis on Ubuntu Precise using mysql running on localhost. Now I have a webserver host and a separate database host and try to install mantis via admin/install.php. TCP connection to mysql from webserver works, remote login as user "root" in mysql-client also, "root" seems to have all required privileges.

When starting the database creation, everything works up to:

"Write Configuration File(s): Updating Configuration File (config_inc.php) GOOD"

but first check of installation fails:

Checking Installation...
Attempting to connect to database as user: POSSIBLE PROBLEM: Database user doesn't have access to the database ( )

STRANGE: There is no reason mentioned for failure in brackets, in contrast to nearly all other reports (try Google search "mantis install Database user doesn't have access to the database").

When looking into the database, privileges seem odd, e.g.

Code: Select all

mysql> SELECT Host,User FROM user;
+---------------------------+------------------+
| Host                      | User             |
+---------------------------+------------------+
| [IP of the dbserver]      | mantis_user      |

If I understand that correctly, this should be wrong: Host should be IP of the client-host allowed to connect (the webserver) instead. So changing that:

Code: Select all

UPDATE user SET Host='%' WHERE User='mantis_user';
FLUSH PRIVILEGES;

But even then, "mantis_user" does not have any privileges:

Code: Select all

SHOW GRANTS FOR 'mantis_user'@'%';
| GRANT USAGE ON *.* TO 'mantis_user'@'%' IDENTIFIED BY PASSWORD '*xxx' |

Although database was created, webinterface access does not work either.

Any ideas?

[atrol]

Did you check that the options in config_inc.php are right?

Code: Select all

	$g_hostname
	$g_db_username
	$g_db_password	
	$g_database_name	

[ait]

config_inc.php is written by mantis during install, values are the same as entered in the web front-end. Database with that name is created at the backend, database user with given password added to server automatically. So everything seems OK apart that the user created automatically in the backend lacks appropriate permissions.

Is "config_inc.php" written at the begin of the database initialization or after initialization was successful so far?

[ait]

Just to avoid confusion: forum member page did not list own contribution (posts == 0) while not approved by moderator. Hence I assumed, that my initial post was lost in submission and I resubmitted a duplicate same thread (little annoyed, that I had to type everything again). I'll add a reference to this topic in the other thread as soon as it becomes visible to avoid duplication of efforts in finding a solution.

[atrol]

I'll add a reference to this topic in the other thread as soon as it becomes visible to avoid duplication of efforts in finding a solution.

Not necessary, I deleted the other one

[atrol]

So everything seems OK apart that the user created automatically in the backend lacks appropriate permissions.

Maybe I get something wrong. MantisBT does not generate any user automatically in the backend.

[ait]

Thanks for that hint, I diffed the code from mantisbt vs. that delivered by Ubuntu and looking for user creation statements.

The difference seems to be, that Ubuntu has added the user creation to the installation procedure, most likely to simplify the setup procedure, but the code is definitely wrong: instead of f_hostname something like the result of a hypothetical "SELECT remote_host from mysql.current_query" should be used.

Code: Select all

                        switch ($f_db_type) {
                                case 'mysql' :
                                case 'mysqli' :
                                        //grant privileges
                                        $t_query_grant ="GRANT ALL ON `".$f_database_name."`.* TO `".$f_db_username."`@`".$f_hostname."` IDENTIFIED BY  '".$f_db_password."' ";

Security implications are only mild since only unexpected access from dbhost itself to mantis-db (still with password) is granted instead of the correct grant.

[atrol]

Does this mean that your installation runs fine after you manually created the user?

[ait]

I did not create the user, I brute-fixed the install.php before invoking it just by replacing invalid "$f_hostname" in GRANT statement with the IP of the webserver:

Code: Select all

                       switch ($f_db_type) {
                                case 'mysql' :
                                case 'mysqli' :
                                        //grant privileges
                                        $t_query_grant ="GRANT ALL ON `".$f_database_name."`.* TO `".$f_db_username."`@`nnn.nnn.nnn.nnn` IDENTIFIED BY  '".$f_db_password."' ";

Then the modified install.php from Ubuntu works fine also with DB on remote host and strict mysql security settings.

I've created a bug-report via launchpad regarding the creation of the user with wrong permissions, see https://bugs.launchpad.net/ubuntu/+sour ... ug/1222713

I'm somehow surprised, that package maintainers did not just packaging of mantisbt code but modified some integral part like db-account creation and got it even wrong.

[atrol]

I've created a bug-report via launchpad regarding the creation of the user with wrong permissions, see https://bugs.launchpad.net/ubuntu/+sour ... ug/1222713

I am not able to access the report, I get

Lost something?
This page does not exist, or you may not have permission to see it.

[ait]

Sorry, I missed the notification of your post.

Since bug allowed login from unexpected source, it was tagged security and hence not visible to public.

In mean time issue is expired, thus not protected any more.