Database creation in the installer
  • Vote Up0Vote Down Daniel JamesDaniel James
    Posts: 844Member, Sourcefabric Team

    Hi Campsite devs,

    Just to clarify for the manual... when I supply a non-root mysql
    username and password to the Campsite installer, a user which has not
    already been set up on the system, the installer cannot create a
    database for a new installation.

    So the human user has to create the non-root mysql user, password and
    initial database manually - have I got that right? Or will creating the
    non-root user and password manually in advance suffice?

    Cheers!

    Daniel
  • 6 Comments sorted by
  • Vote Up0Vote Down Andrey PodshivalovAndrey Podshivalov
    Posts: 1,526Member, Administrator, Sourcefabric Team
    hi Daniel,

    right, for non-root user the Campsite requires also created database for that user (in case non-root user has not database create permission)
  • Vote Up0Vote Down Daniel JamesDaniel James
    Posts: 844Member, Sourcefabric Team

    Hi Andrey,

    > right, for non-root user the Campsite requires also created database for
    > that user (in case non-root user has not database create permission)

    As the Campsite installer recommends not using the mysql root account
    for routinely connecting to the new database, I will adjust the
    documentation so that users already set up the database before
    attempting to run the installer.

    Cheers!

    Daniel
  • Vote Up0Vote Down Paul BaranowskiPaul Baranowski
    Posts: 389Member, Administrator, Sourcefabric Team
    On Wed, Jan 12, 2011 at 7:27 AM, Daniel James <
    campsite-dev@lists.sourcefabric.org> wrote:

    >
    >
    > > right, for non-root user the Campsite requires also created database for
    > > that user (in case non-root user has not database create permission)
    >
    > As the Campsite installer recommends not using the mysql root account
    > for routinely connecting to the new database, I will adjust the
    > documentation so that users already set up the database before
    > attempting to run the installer.
    >

    That seems a bit cumbersome to me. I would give instructions for "the easy
    way" and "the high security way". For some in the tech community, security
    is placed at a premium, for others, ease of use is placed at a premium.

    Or you could call it "setting up a test site" versus "setting up a
    production site". ("If you are setting up your production site, you should
    create a database now like this...")

    - Paul

  • Vote Up0Vote Down Micz FlorMicz Flor
    Posts: 184Administrator

    On Thu, 2011-01-13 at 15:05 +0100, Paul Baranowski wrote:
    > Or you could call it "setting up a test site" versus "setting up a
    > production site". ("If you are setting up your production site, you
    > should
    > create a database now like this...")

    that's a good way of putting it. i endorse this idea.

    --
    Micz Flor
    Head of Communication, Sourcefabric
    micz.flor@sourcefabric.org

    Journalism is back!
    www.journalismisback.com

    Sourcefabric
    Prinzessinnenstraße 20
    10969 Berlin, Germany
    DE +49 (0)30 44044999

    Subscribe to our Newsletter:
    www.sourcefabric.org/newsletter/

    www.sourcefabric.org
    www.twitter.com/Sourcefabric

  • Vote Up0Vote Down Daniel JamesDaniel James
    Posts: 844Member, Sourcefabric Team

    Hi Paul,

    >> As the Campsite installer recommends not using the mysql root account
    >> for routinely connecting to the new database, I will adjust the
    >> documentation so that users already set up the database before
    >> attempting to run the installer.
    >
    > That seems a bit cumbersome to me. I would give instructions for "the easy
    > way" and "the high security way". For some in the tech community, security
    > is placed at a premium, for others, ease of use is placed at a premium.

    I think we should be aiming for both high security and ease of use.
    Users follow the manual, so if we give them instructions for insecure
    installation, there will be lots of insecure installations out there -
    which will reflect badly on Sourcefabric if a simple exploit is published.

    Like those Drupal sites with the files/ directory chmod 777 because the
    user has only FTP access to the server, and can't log in to do a chown
    www-data on that directory. You might as well put a banner up saying
    'Free hosting for malware and illegal content.'

    The way the Campsite installer is currently set up, if you enter any
    database user name other than root (which is what the installer tells
    you to do) and that user does not exist or is not set up with database
    create permissions, the install will fail.

    So users might as well get used to the idea of creating and granting
    privileges to MySQL user accounts for specific databases, unless their
    ISP has already set up a MySQL user for them. On cheaper hosting you
    don't get MySQL root access anyway. You have to set up one of a limited
    number of databases in some control panel.

    For ultimate ease of use, users should be using the .deb package to
    install, which should set up the database for them in a secure way.
    Alessio recommends using dbconfig-common for this:

    http://people.debian.org/~seanius/policy/dbconfig-common-usi ng.html/

    > Or you could call it "setting up a test site" versus "setting up a
    > production site". ("If you are setting up your production site, you should
    > create a database now like this...")

    That's poor practice, because the test site is likely be on a web-facing
    server. Also, test sites have a tendency to become production sites if
    they work OK. If people really can't be bothered to set up their server
    in a secure way, they should use the demo servers instead of attempting
    a DIY install.

    Cheers!

    Daniel
  • Vote Up0Vote Down Paul BaranowskiPaul Baranowski
    Posts: 389Member, Administrator, Sourcefabric Team
    On Fri, Jan 14, 2011 at 5:55 AM, Daniel James <
    newscoop-dev@lists.sourcefabric.org> wrote:

    >
    > I think we should be aiming for both high security and ease of use.
    > Users follow the manual, so if we give them instructions for insecure
    > installation, there will be lots of insecure installations out there -
    > which will reflect badly on Sourcefabric if a simple exploit is published.
    >


    I didnt suggest we give instructions for insecure installation on production
    servers. I made a suggestion to give instructions to make it as easy as
    possible to install a demo site to test out.

    Most of the time people will be installing a demo site on their personal
    linux machines. You dont need to force someone to have high security when
    installing on a local machine because there is no chance of it being a
    security issue.

    Having a super-simple set of instructions for the simplest case is a
    feature. Making people do things they dont actually have to do is a bug.

    - Paul