[Discussion] Issues in the script



  • Hi
    I'm new in this project (coming from the easy-wi panel)
    I've installed the panel, but having some issues...
    The installing script is a bit bugged...
    I've installed the panel and I immediatly gos some issues...
    The first problem is that the nginx config is not replaced, but that's not so harmful
    The second one it is...
    The script problaly hash the MySQL password (I didn't gave it a look), so every thing is fucked because the password is not checked, so it fucks some things...
    My idea is easy:
    You make install php5, so, to check the password you run a easy php scrpt that check if the connection can be estabilished :D
    (Sorry for my bad English but I'm from my phone)
    (If I'll have time I'll add the check )



  • You gave 0 information as to anything being wrong, and even going so far as to making assumptions about how things work without looking....

    The scripts does no hashing on the MySQL password, because we need to use it. We also generated that account, so if your DB is kicking it back right when it is made, you have a problem that is totally outside of our process.

    Instead of trying to fix something, explain your problem, because so far, you have shown that you do not know what is happening, and are trying to solve something that is completely unrelated.



  • @LordRalex yeah ,excuse me, but, as I wrote, I was on the phone in the car while I wrote this...
    Tomorrow I'll try to be more detailed



  • @LordRalex Okay,
    Now I finally reached my PC and now I can explain better (at least I hope...)
    So...
    I've decided to try this panel, so I've downloaded the script and run it following the steps in the website.
    From PHPMyAdmin I created an account and gave to it all the permission on a DB with the same name.
    I run the script filling the fields and, at the end it said that there were an error writing the nginx config, so I've looked at the one found in the website and making the nginx config.
    The site started working (not giving anymore 403 or 404 various errors) but it was always giving a 500 error custom page, so, I tryed deleting all the DB, the folder and everything, making a clean installation, same result, so I started looking at the files.
    The first file I looked at was the "config.json" and I saw that the MySQL password was complitely different from the one I've pasted, but, without touching anything I continued to browsing the folder, finding the logs folder.
    So I read the "error.log" that was giving an error connecting to the MySQL DB, so, I make a backup of the "config.json" file and edited manally the password, refreshed the page and a new error appeared:

    [2016-08-31 15-34-18] PHP Notice: Undefined property: stdClass::$default_language in /srv/pufferpanel/src/core/language.php:43  @  http://mywebsite/logs/exception--2016-08-31--15-30--84762ac07f.html
    

    So I downloaded the "exception--2016-08-31--15-30--84762ac07f.html" file and saw that a var was not declared.
    I started watching the code on github and saw that there was a query that was not done, I'm referring to this one:

    mysql -h ${mysqlHost} -P ${mysqlPort} -D ${mysqlDb} -u ${mysqlUser} --password="${mysqlPass}" -e "
    

    I checked the DB and the row wasn't existing, so I've replaced the vars with my data and run the query.
    The site started working but the user was wrong every time, so I looked at the users table and it was empty too, so I've watched again the script and found these lines:

    password=$(php -r "echo password_hash('"${password}"', PASSWORD_BCRYPT);");
    

    So I hashed my password:

    php -r "echo password_hash('"my_v3ry_s3cret_p4ssw0rd"', PASSWORD_BCRYPT);"
    

    and run the query replacing the data, and the panel started working

    (Sorry about the bad english and the late D: )
    P.S. I've uploaded the second error and you can find it here.



  • There is your problem.

    All of your issues (except for the nginx one) resulted because you tried to handle a step the installer does.

    We create the Pufferpanel database AND the user for it. You should not be touching that, and probably broke the installer because of it.

    http://www.pufferpanel.com/docs/getting-started
    There is no mention anywhere that you create the user, and the script.

    Let the installer do it's job and create the user.



  • hooh, so I should gave to the script the root privileges?
    Because it could be unsafe if someone would read the config file :/
    (And anyway it could be explicited written)



  • When you enter the MySQL credentials, we use those to create our own account, which is allowed ONLY access on localhost, the docker interface IPs (172.17.42.%) and the IP that the script used to connect to the database.

    Said use also ONLY has the following rights:
    GRANT SELECT, UPDATE, DELETE, ALTER, INSERT ON pufferpanel.*

    If someone does read the config, there is only so much they could actually do. There is no simple way to "protect" that password without having it easily "resolved" (hashing won't solve it, because then MySQL will reject it..., encryption just makes it not easy to read, but will stop absolutely no one, which is why it's a large randomly generated string).

    Even within the script, once the new user and the database are made, we switch to the regular user we just made for additional processing.

    The script uses root to create what it needs. It does not save those credentials anywhere.

    That should have been clear when you were reading the code really. I would prefer that you explain your problem and we give you the reason why, than you trying to define a problem (which did not exist to start with), and trying to declare some fix that is not related....



  • Okay, so it's not a bug (I've corrected the title) and I'm sorry but i dodn't still read the script...
    Anyway I think that the root user shouldn't be used, at least for me, so, it could be possible to make a if where if the user is != from root || admin so the script could intend that the user is specifically made for the panel only...
    It's just an idea...
    Or anyway write to inserit the root credentials or the credential of a user that could create another user and a DB...
    I'm sorry (again) for the trouble



  • I can try to clarify it, but the most text that we display, the less likely people read it.

    Right now, it gives this warning: Enter the MySQL username (MUST HAVE GRANT) [root]:

    We default to root if you don't provide a username, and explicitly say that user needs grant. Without writing huge amounts of text that will get ignored even more, a check to see if it's root is not exactly accurate, because even a root@1.2.3.4 may not have the same permissions as root@localhost.



  • Maybe add a waring notify in red writing that the root accound should be used...



  • You could do

    sudo -s
    

    And you would run it in root without accessing the physical root account.



  • @falceso We are talking about MySQL


Log in to reply
 

Looks like your connection to PufferPanel Community was lost, please wait while we try to reconnect.