Securing the Database

[Zmjm15]

Hi guys,

I was just looking around the zm config files, and just saw in the zm.conf that the sql db details are as follows;

# Username and group that web daemon (httpd/apache) runs as
ZM_WEB_USER=www-data
ZM_WEB_GROUP=www-data

# ZoneMinder database type: so far only mysql is supported
ZM_DB_TYPE=mysql

# ZoneMinder database hostname or ip address
ZM_DB_HOST=localhost

# ZoneMinder database name
ZM_DB_NAME=zm

# ZoneMinder database user
ZM_DB_USER=zmuser

# ZoneMinder database password
ZM_DB_PASS=zmpass

# Host of this machine
ZM_SERVER_HOST=

Is this secure, can i change this? If so what else do i need to change? As im guessing that all ZM installs have these same credentials?

Many thanks

[bbunge]

Secure? Sure if your MySQL server access is restricted to localhost for the user zmuser and the rest of your server has not been hacked. I'm sure there is someone who could make short work of getting into just about any server.

I might say don't worry, be happy and get rid of your paranoia.. But as Ronny Regan said..."trust but verify"...

[Zmjm15]

Just checking....

So is the db user access restricted to local user by default?

Also while we're on the subject,

Is there any chance of malicious input being used to hack the database from the login page (cross site scripting etc)?

Many thanks

[gipsea]

Hi there,

although few years after I still have a similar issue.

In other terms I've different web applications running on my server and MYSQL has the securyty option about password (don't remember the exact package name)

Is there any way like this to customize the zm.conf file before install the package?

The only think I can come up with is to download the .deb, edit the specific file and than install the updated .deb.

It is possible?

Is there any way to install using a specific zm.conf file overriding the default one?

Thanks for your help