[MacPorts] howto/MAMP modified

Ryan Schmidt ryandesign at macports.org
Mon Sep 22 12:01:53 PDT 2008 

On Sep 22, 2008, at 7:10 AM, Rainer Müller wrote:

> MacPorts wrote:
>> Changed page "howto/MAMP" by ryandesign at macports.org from  
>> 76.244.68.113*
>> Page URL: <http://trac.macports.org/wiki/howto/MAMP>
>> Diff URL: <http://trac.macports.org/wiki/howto/MAMP? 
>> action=diff&version=19>
>> Revision 19
>> Comment: revert incorrect change to root password setting  
>> instructions
>>
>> -------8<------8<------8<------8<------8<------8<------8<------8<---- 
>> ----
>> Index: howto/MAMP
>> ===================================================================== 
>> ====
>> --- howto/MAMP (version: 18)
>> +++ howto/MAMP (version: 19)
>> @@ -110,9 +110,10 @@
>>  Set the MySQL `root` password (it's currently empty):
>>
>>  {{{
>> -mysqladmin5 -u root password -p
>> -}}}
>> -This will ask for a new password for the MySQL `root` user.
>> +mysqladmin5 -u root -p password <new-password>
>> +}}}
>> +
>> +where `<new-password>` is your new desired root password.
>
> I see the old command failed with:
>   mysqladmin5: Too few arguments to change password
> And if I remember correctly it was me who put it there to make the
> process more secure.

I remember you making the change, but at the time I didn't think  
about it further or try the revised instructions. It's been so long  
since I set up my own MySQL servers that I forgot the specifics.

> Seems like I misunderstood how '-p' works.

The "-p" refers to the current password. For any MySQL command that  
needs a username and password, you can either use "-p<current- 
password>" (no space between "-p" and the current password) to supply  
your current password on the command line, or just use "-p" with no  
password, and you'll be prompted to enter your current password.

But the mysqladmin program still requires you to provide the new  
password on the command line.

> Typing in passwords directly on the shell prompt is not a good idea  
> for
> security reasons. It will get saved in the shell history and is  
> visible
> to all other users on the same machine in the list of running  
> processes.

I tend to agree, however I consulted "man mysqladmin" and I did not  
see any alternative to supplying the new password on the command  
line. It was not listed as an optional parameter.

> And the new command is also not absolutely correct. '-p' tells
> mysqladmin5 to prompt for the old password (which is empty on initial
> installation), so it will easily confuse users as they have to  
> leave the
> "Enter your password" prompt empty.

In what way is the command not correct now? I tested it and it works.  
If I type:

mysqladmin5 -u root -p password foo

then mysqladmin will prompt me for the current root password, and  
then set the root password to "foo".

I added a clarifying sentence:

http://trac.macports.org/wiki/howto/MAMP?action=diff&version=20

> Maybe it would be better to advice something like this (taken from  
> [1]):
>
> Terminal 1:
> $ mysqld_safe5 --skip-grant-tables
>
> Terminal 2:
> $ mysql5
> mysql> UPDATE mysql.user SET Password=PASSWORD('foo') WHERE  
> User='root';
> mysql> FLUSH PRIVILEGES;
>
> Although this way the password still ends up in .mysql_history, but at
> least it is not exposed to everyone.
>
> I think the first method described in [1] using an init-file is most
> secure, but is a bit complicated. The official install instructions  
> [2]
> also use something like this method.
>
> Or we decide that the current instructions are safe enough for home
> users (which mostly only have one user on their system), but add a  
> note
> about security and that it should not be used on multi-user systems,
> including  a link to [2].
>
> Rainer
>
> [1]
> http://dev.mysql.com/doc/refman/5.0/en/resetting- 
> permissions.html#resetting-permissions-unix
> [2] http://dev.mysql.com/doc/refman/5.0/en/default-privileges.html

It would probably be fine to leave the current instructions, but add  
a note about why it is insecure, and add a reference to the MySQL  
documentation for those who need more security.

IMHO the MySQL distribution provides the mysqladmin program to do  
this, so it's reasonable to tell the user to use that.

More information about the macports-dev mailing list