vicinas host in the mysql.user table?
Posted: Fri Jun 04, 2021 6:55 pm
I have checked on three different systems that I do some support work for - and all three, which are running different versions of VICIdial, different SVN numbers and installed from different ISO's have two blank users with no passwords in the mysql.user table (plus similar entries in the mysql.db table) - one has "vicinas" in the host column, and the other has "localhost". I Googled "vicinas" - and found nothing "VICIdial" related in the search results - at least not within the first few search result pages.
Not sure how important this is, but...
System 1 Info:
MySQL (MariaDB) version(): 10.2.18-MariaDB-log
ViciBox: v.8.1.2 181002
Vicidial Version 2.14-721a Build 191015-1620
SVN: 3149 / DB Schema 1577
System 2 Info:
MySQL version: 10.2.17-MariaDB-log
ViciBox: v.8.1.0 180922
Vicidial Version: 2.14-721a BUILD: 191015-1620
SVN: 2973 / DB Schema 1542
System 3:
MySQL: 10.1.6-MariaDB-log
ViciBox: v.7.0.2-160325
Vicidial Version: 2.14-704a BUILD: 190312-0928
SVN: 3076 / DB Schema 1566
Anyway - I read that the blank users are there to give full access to the "test" databases (which the mysql.db table seems to confirm), they're not necessary, and that some (non-vici, MariaDB reliant) system installs actually remove them during their install routine.
So - I guess I am just curious if there is any reason to leave them there - or - if there is anything I missed in the documentation / best practices wise that would have avoided their creation in the first place - or that say I should be removing them manually before putting my system into production? Do they pose any security threat to the system or other databases in general (other than potentially allowing someone malicious access to the test database, if they also had access to my public IP address, where they could quickly use up all of my available disk space with looping INSERTs using a SELECT from the table they're inserting into, or some other such "playful" dark deed)??
I (most likely) would have just removed them without asking - had it not been for the "vici" in "vicinas" - but that made me think it could be on purpose - even if it (thankfully) doesn't appear to allow access to the asterisk DB.
Thanks for any feedback...appreciate it!
David
Not sure how important this is, but...
System 1 Info:
MySQL (MariaDB) version(): 10.2.18-MariaDB-log
ViciBox: v.8.1.2 181002
Vicidial Version 2.14-721a Build 191015-1620
SVN: 3149 / DB Schema 1577
System 2 Info:
MySQL version: 10.2.17-MariaDB-log
ViciBox: v.8.1.0 180922
Vicidial Version: 2.14-721a BUILD: 191015-1620
SVN: 2973 / DB Schema 1542
System 3:
MySQL: 10.1.6-MariaDB-log
ViciBox: v.7.0.2-160325
Vicidial Version: 2.14-704a BUILD: 190312-0928
SVN: 3076 / DB Schema 1566
Anyway - I read that the blank users are there to give full access to the "test" databases (which the mysql.db table seems to confirm), they're not necessary, and that some (non-vici, MariaDB reliant) system installs actually remove them during their install routine.
So - I guess I am just curious if there is any reason to leave them there - or - if there is anything I missed in the documentation / best practices wise that would have avoided their creation in the first place - or that say I should be removing them manually before putting my system into production? Do they pose any security threat to the system or other databases in general (other than potentially allowing someone malicious access to the test database, if they also had access to my public IP address, where they could quickly use up all of my available disk space with looping INSERTs using a SELECT from the table they're inserting into, or some other such "playful" dark deed)??
I (most likely) would have just removed them without asking - had it not been for the "vici" in "vicinas" - but that made me think it could be on purpose - even if it (thankfully) doesn't appear to allow access to the asterisk DB.
Thanks for any feedback...appreciate it!
David