Re: [Koha-devel] Bug 8641
At 06:48 PM 1/22/2013 -0500, Jared Camins-Esakov wrote:
Paul, This bug was signed off a few weeks ago, and is designed to produce a "warning" in the "About" page covering staff use of Koha (not sure if this covers all flag settings down from superlibrarian or if it applies to 3.8. as well as 3.10?) logging in as either "root", "admin (mysql) account" or "database administrative user." I seem to remember (but could be wrong) that after a new 3.8 install, Koha created a "new user", number 0, which was problematic and as far as I can tell exhibited the signs that the warning covers (I have tried to read all details in bugs 8641, 8262 and 9008 plus some references to IRC.) You are. User "0" is the database administrative user. Do not use it for anything other than initial installation and upgrades. Ever.
Thanks Jared. I'm glad that my memory didn't fail me :) and that I never use it. But I'm still interested in the "warning" - particularly as you mention that it should be used for upgrades. As far as I can see (using getent passwd | cut -d : -f 1 | xargs groups) there is no problem with *system* security. Also, User "0" does not appear in the MySql 'borrowers' table. So why is it possible to log in with the "warned against" credentials? How should it be used during upgrades? It also is possible to create a superlibrarian with User "koha" credentials; limited testing in my sandbox has not [yet!] shown any side effects, except that User "0" can no longer log in (demonstrated by the fact that "Library" is set.) Best - Paul
Paul, As far as I can see (using getent passwd | cut -d : -f 1 | xargs groups)
there is no problem with *system* security. Also, User "0" does not appear in the MySql 'borrowers' table. So why is it possible to log in with the "warned against" credentials? How should it be used during upgrades?
Only the MySQL user (= user 0 ="Koha superuser") can run the webinstaller, if you did not run the upgrade script from the command line (packages take care of it for you, which is one of the reasons why we recommend them). You also must use the database user when an empty database is first created because there is no other superlibrarian user which can be used for administration until after you've created one using your database login. It also is possible to create a superlibrarian with User "koha"
credentials; limited testing in my sandbox has not [yet!] shown any side effects, except that User "0" can no longer log in (demonstrated by the fact that "Library" is set.)
Right. The problem with doing that is that if you need to access the web installer, or inadvertently delete all your superlibrarians, you can no longer access Koha using the database credentials, and are therefore stuck. Regards, Jared -- Jared Camins-Esakov Bibliographer, C & P Bibliography Services, LLC (phone) +1 (917) 727-3445 (e-mail) jcamins@cpbibliography.com (web) http://www.cpbibliography.com/
Archives and Collections Society schreef op wo 23-01-2013 om 10:57 [-0500]:
As far as I can see (using getent passwd | cut -d : -f 1 | xargs groups)
It's worth noting that there is absolutely, completely no relationship between UNIX system users and Koha or MySQL users. Never the twain shall meet. When you log in with your database username and database password (i.e., the same thing you would use if you typed "mysql -u username -ppassword koha") then you are user 0. However, as user 0 doesn't have an entry in the borrowers database, anything that tries to look you up, or otherwise reference your record will get terribly confused. For our client Koha systems, I only ever user that user for doing quick and dirty things, changing some admin settings, looking at the state of something, creating initial borrowers. Anything more complex than that is likely to have conniptions. -- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D
At 10:48 AM 1/24/2013 +1300, Robin Sheat wrote:
As far as I can see (using getent passwd | cut -d : -f 1 | xargs groups) It's worth noting that there is absolutely, completely no relationship between UNIX system users and Koha or MySQL users. Never the twain shall meet. When you log in with your database username and database password (i.e.,
Archives and Collections Society schreef op wo 23-01-2013 om 10:57 [-0500]: the same thing you would use if you typed "mysql -u username -ppassword koha") then you are user 0. However, as user 0 doesn't have an entry in the borrowers database, anything that tries to look you up, or otherwise reference your record will get terribly confused. For our client Koha systems, I only ever user that user for doing quick and dirty things, changing some admin settings, looking at the state of something, creating initial borrowers. Anything more complex than that is likely to have conniptions.
Many thanks Robin -- that was what I had assumed, but confirmation is always good to have. In fact, I have only ever used it to create the very first "superlibrarian" [1] on a new install. May I make a suggestion regarding the sign-off to this bug? (It seemed a bit complex vis-a-vis translations, so I don't want to upset any apple carts.) It might be a good idea to add a para to the INSTALL files (general, Debian, Ubuntu, whatever) to alert people before they get the opportunity to click on "About Koha." I've had a quick look at various 3.8 and 3.10 .tar files and don't find anything. [1] Re: 'borrower' permissions. What's the difference between flag "1" (plain superlibrarian) and flag '261887' (super librarian with all boxes checked)? Is it necessary to check the boxes? Again tnx and br, Paul
That message shows up on the home page every time you log in with user 0. It's in a giant yellow box. See: http://imgur.com/kG8xunF Hope that helps, Liz Rea On 24/01/13 11:26, Paul wrote:
At 10:48 AM 1/24/2013 +1300, Robin Sheat wrote:
As far as I can see (using getent passwd | cut -d : -f 1 | xargs groups) It's worth noting that there is absolutely, completely no relationship between UNIX system users and Koha or MySQL users. Never the twain shall meet. When you log in with your database username and database password (i.e.,
Archives and Collections Society schreef op wo 23-01-2013 om 10:57 [-0500]: the same thing you would use if you typed "mysql -u username -ppassword koha") then you are user 0. However, as user 0 doesn't have an entry in the borrowers database, anything that tries to look you up, or otherwise reference your record will get terribly confused. For our client Koha systems, I only ever user that user for doing quick and dirty things, changing some admin settings, looking at the state of something, creating initial borrowers. Anything more complex than that is likely to have conniptions.
Many thanks Robin -- that was what I had assumed, but confirmation is always good to have. In fact, I have only ever used it to create the very first "superlibrarian" [1] on a new install.
May I make a suggestion regarding the sign-off to this bug? (It seemed a bit complex vis-a-vis translations, so I don't want to upset any apple carts.) It might be a good idea to add a para to the INSTALL files (general, Debian, Ubuntu, whatever) to alert people before they get the opportunity to click on "About Koha." I've had a quick look at various 3.8 and 3.10 .tar files and don't find anything.
[1] Re: 'borrower' permissions. What's the difference between flag "1" (plain superlibrarian) and flag '261887' (super librarian with all boxes checked)? Is it necessary to check the boxes?
Again tnx and br, Paul _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
There is also a bug, 9439, that is pending sign off that would rectify the exact situation you are describing. Essentially, there is no difference between them, and the patch for 9439 just enforces that. Liz Rea On 24/01/13 11:26, Paul wrote:
At 10:48 AM 1/24/2013 +1300, Robin Sheat wrote:
As far as I can see (using getent passwd | cut -d : -f 1 | xargs groups) It's worth noting that there is absolutely, completely no relationship between UNIX system users and Koha or MySQL users. Never the twain shall meet. When you log in with your database username and database password (i.e.,
Archives and Collections Society schreef op wo 23-01-2013 om 10:57 [-0500]: the same thing you would use if you typed "mysql -u username -ppassword koha") then you are user 0. However, as user 0 doesn't have an entry in the borrowers database, anything that tries to look you up, or otherwise reference your record will get terribly confused. For our client Koha systems, I only ever user that user for doing quick and dirty things, changing some admin settings, looking at the state of something, creating initial borrowers. Anything more complex than that is likely to have conniptions.
Many thanks Robin -- that was what I had assumed, but confirmation is always good to have. In fact, I have only ever used it to create the very first "superlibrarian" [1] on a new install.
May I make a suggestion regarding the sign-off to this bug? (It seemed a bit complex vis-a-vis translations, so I don't want to upset any apple carts.) It might be a good idea to add a para to the INSTALL files (general, Debian, Ubuntu, whatever) to alert people before they get the opportunity to click on "About Koha." I've had a quick look at various 3.8 and 3.10 .tar files and don't find anything.
[1] Re: 'borrower' permissions. What's the difference between flag "1" (plain superlibrarian) and flag '261887' (super librarian with all boxes checked)? Is it necessary to check the boxes?
Again tnx and br, Paul _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
participants (5)
-
Archives and Collections Society -
Jared Camins-Esakov -
Liz Rea -
Paul -
Robin Sheat