Securing the Database

Forum for questions and support relating to the 1.28.x releases only.
Locked
Zmjm15
Posts: 90
Joined: Fri Jul 31, 2015 7:56 pm

Securing the Database

Post by Zmjm15 »

Hi guys,

I was just looking around the zm config files, and just saw in the zm.conf that the sql db details are as follows;

# Username and group that web daemon (httpd/apache) runs as
ZM_WEB_USER=www-data
ZM_WEB_GROUP=www-data

# ZoneMinder database type: so far only mysql is supported
ZM_DB_TYPE=mysql

# ZoneMinder database hostname or ip address
ZM_DB_HOST=localhost

# ZoneMinder database name
ZM_DB_NAME=zm

# ZoneMinder database user
ZM_DB_USER=zmuser

# ZoneMinder database password
ZM_DB_PASS=zmpass

# Host of this machine
ZM_SERVER_HOST=

Is this secure, can i change this? If so what else do i need to change? As im guessing that all ZM installs have these same credentials?

Many thanks
bbunge
Posts: 2930
Joined: Mon Mar 26, 2012 11:40 am
Location: Pennsylvania

Re: Securing the Database

Post by bbunge »

Secure? Sure if your MySQL server access is restricted to localhost for the user zmuser and the rest of your server has not been hacked. I'm sure there is someone who could make short work of getting into just about any server.

I might say don't worry, be happy and get rid of your paranoia.. But as Ronny Regan said..."trust but verify"...
Zmjm15
Posts: 90
Joined: Fri Jul 31, 2015 7:56 pm

Re: Securing the Database

Post by Zmjm15 »

Just checking....

So is the db user access restricted to local user by default?

Also while we're on the subject,

Is there any chance of malicious input being used to hack the database from the login page (cross site scripting etc)?

Many thanks
gipsea
Posts: 4
Joined: Sun Jul 30, 2017 9:06 pm

Re: Securing the Database

Post by gipsea »

Hi there,

although few years after I still have a similar issue.

In other terms I've different web applications running on my server and MYSQL has the securyty option about password (don't remember the exact package name)

Is there any way like this to customize the zm.conf file before install the package?

The only think I can come up with is to download the .deb, edit the specific file and than install the updated .deb.

It is possible?

Is there any way to install using a specific zm.conf file overriding the default one?

Thanks for your help
Locked