Web Installer Defaulting to "root" with No Password - Fresh Install

[TomRivers]

While I have successfully implemented a variety of other CMS packages over the years, this is my first attempt at using Joomla so I apologize if I have missed something simple. I have attempted to find the answer to this question both here, in the documentation, in the FAQ's, and through repeated web searches to no avail. After reading the INSTALL file in the installation directory I know I can manually configure the package as a workaround but I like the idea of using the preconfigured procedure considering I am still new to this CMS.

I am installing this on a Fedora 24 Linux server I own that is co-located in a local hosting facility and I routinely access via SSH. The files from the distribution archive named Joomla_3.6.2-Stable-Full_Package.zip have been successfully unpacked and the web installer fires up as expected. My database is running properly and I have created a new Joomla user with a password and all the appropriate permissions as per the installation instructions. I have been able to successfully access the database with this user, create tables, insert values, and drop them from the command line.

What appears to be the problem is the installer is attempting to access the database instance as the root user without a password when I click Next from Step 1. I suspect this because I looked in the database logs and found a line like the one below with the same timestamp in my Apache logs each time the installation/index.php file is accessed from my browser:

[Warning] Access denied for user 'root'@'localhost' (using password: NO)

I have attempted to access the "Step 2 - Database" tab from the web installer main page but that goes nowhere. Basically, it appears that the installation routine is asking me to provide information that it wants to store in the database prior to requesting the credentials required to do just that.

Can someone please tell me why this is happening because at first glance it appears that the proverbial cart has been put before the horse. Also, if the answer to this question can be found somewhere else, I want to both apologize for the noise and humbly ask for a link so I can be sure to look in the appropriate place next time.

Thanks!

[dhuelsmann]

Increase max_execution_time to 300 seconds and memory_limit to 256M.

[TomRivers]

Increase max_execution_time to 300 seconds and memory_limit to 256M.

I made those changes, restarted apache, verified the settings using phpinfo(), and tried again - same result.

Are you suggesting that the security warning message indicating access was denied due to invalid user credentials is a false error? I am able to access the database using other valid user credentials from other web pages and other programs, some PHP, some Perl, that I have running on the same server. The thought that somehow an out-of-the-box installation program would be so picky seems odd to me.

[dhuelsmann]

Is your MYSQL database on the same server as your Joomla Web Installer?

[TomRivers]

Is your MYSQL database on the same server as your Joomla Web Installer?

Yes it is. For the record, I am a software developer and have database design and administration experience.

[dhuelsmann]

Good experience then. I have installed Joomla numerous times without encountering the problem you are experiencing. Hopefully you downloaded the install package from this site?

[TomRivers]

Hopefully you downloaded the install package from this site?

Precisely.

[TomRivers]

As far as I can tell, the failure is due to the installer trying to mess with my local database instance prior to asking for credentials that are valid. I could start tearing apart the code and trying to find out precisely where the installation process is executing the command to connect to the database, but that would be a non-trivial task.

Can you or anyone else explain to me why it makes logical sense for the installer to take that approach? Here are the log entries every time I click Next from Step 1 (edited to eliminate identifying data):

Apache Log
===================
XXX.XXX.XXX.XXX - - [29/Aug/2016:18:48:29 -0400] "POST /xxxxxxx/installation/index.php HTTP/1.1" 303 - "http://xxxxxxx/installation/index.php" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0"
XXX.XXX.XXX.XXX - - [29/Aug/2016:18:48:29 -0400] "GET /xxxxxxx/installation/index.php HTTP/1.1" 200 15208 "http://xxxxxxx/installation/index.php" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0"

Database Log
===================
2016-08-29 18:48:29 140370579262208 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2016-08-29 18:48:29 140370579262208 [Warning] Access denied for user 'root'@'localhost' (using password: NO)


Notice that the timestamps are identical. That seems to be the smoking gun that it is trying to access the database using improper credentials. What's worse is that it is even attempting to use the superuser credentials. That alone raises this issue to a whole new level entirely. Even if one could hypothetically get away with using the root credentials successfully, is it really a good idea from a security standpoint?

You say you have installed Joomla successfully many times before. Do your systems have the MySQL root account configured to not use a password? If so, that would explain why it has consistently worked for you. If your systems are not configured that way, then can you tell me what code is executing this access attempt? I would much rather change a couple lines of code than open my system up to a program so it can use my root account to do unspecified things to my system's databases.

[dhuelsmann]

I have installed multiple times on my local stack where the root password has been configured to yes even though I also had set-up a specific user and password for the install with no issues like yours. Perhaps there is some server configuration causing this issue. I suggest you setup Uniform Server on your pc and install there. Once you succeed use Akeeba Backup to move it to your server. Don't change any of the core code. Millions of installation are successful.

[TomRivers]

I have installed multiple times on my local stack where the root password has been configured to yes even though I also had set-up a specific user and password for the install with no issues like yours.

How can the installation program know how to connect to the database if it hasn't been told what credentials to use? If you don't know the answer that's fine, but I think it is a valid question.

I suggest you setup Uniform Server on your pc and install there. Once you succeed use Akeeba Backup to move it to your server.

That's one way to go around it or I can simply manually edit the installation/configuration.php-dist file and put it into the production directory. However it still doesn't answer the question of how any program can access a database without being told the credentials it must use first.

As a programmer I would really like to know how that is accomplished because out of all the languages I know and database engines I have used over the past 25+ years I have never seen a program gain access to a restricted resource without using valid credentials with the proper permissions, using unsecured known credentials for accounts like root that have the proper permissions, or exploiting a security hole.

[dhuelsmann]

It doesn't. As I said, I suspect a server configuration issue.

[TomRivers]

It doesn't. As I said, I suspect a server configuration issue.

I contend that my server is configured properly. I can access the database from the command line as well as from programs I have written that contain the proper database credentials. No database server should have the root user configured without a password.

When I run the Joomla installation program, it should ask me for the database credentials it needs to access the database before it tries to access that database but the exact opposite is what is happening. I apologize if I have not been clear in my explanation. Let me try this from another angle.

I have followed the Joomla installation instructions that ask me to create user credentials before running the Joomla web installation wizard. For the sake of this explanation, let's use the following information:

Joomla database name: joomla1
Joomla database username: joomlauser
Joomla database password: joomlapassword

I have tested these credentials and am able to create tables, populate them, and drop them. I now proceed to the next phase of the Joomla installation instructions that ask me to fire up the web installation wizard in my browser. Once I bring up that page, this is what happens:

1) Page asks me to specify site name, site description, etc. and then click Next.
2) Page attempts to write the data to the database.
3) If successful, it should proceed to the next phase where it is supposed to prompt me for database user credentials, et al.
4) Attempt to write to database fails because the credentials being used are "root" with no password.

How am I supposed to give the installation program the database name, database username, and database user password I created if I can't get to the next phase where I am supposed to input it?

There is no way the web installation wizard can know the database name and user credentials unless I tell it and that step is scheduled to occur after it fails to connect to my database using "root" with no password. I never told it to use root. In fact, I didn't get a chance to tell it what user credentials to use at all. It never even asked because if it did I would have given it a database name of "joomla1", a user of "joomlauser", and a password of "joomlapassword".

To be clear, the steps the installation wizard executes should be in the following order instead:

1) Page asks me to specify database name and user credentials and click Next.
2) Page attempts to use that information to write to the database.
3) If successful, it proceeds to Step 2 to prompt me for site name, site description, etc. and then click Next.
4) Attempt to write to database succeeds because it is using the credentials I specified.

So this brings me back to my original question: "Why is the Joomla web installation wizard trying to access my database when it has never asked me for the credentials it needs?"

It asked me to create credentials for its installation program and then completely ignores that, attempts to access the database anyway using "root" with no password, and then fails. If this is working for others but not for me, then either their database configurations are set to have the "root" account active with no password or the installation program is getting their Joomla database credentials some other way than through the web installation wizard.

I am not using a MySQL front end and I am not in a hosted environment. I am making changes to the database configuration using the command line interface. The only places the Joomla database configuration data I created for this installation resides is in the database and in my head. I know the Joomla web installation wizard can't read my mind, and I also know that the database security will keep unauthorized users from accessing the data it contains so there is no way that the credentials I created will be available to the web installation wizard unless I tell it what those credentials are.

Solving this problem is going to require identifying how the Joomla Web Installation Wizard is supposed to be told about the database name and credentials it wants created for it ahead of time. The installation instructions on the web site make no mention of that. The wizard itself tries to access the database before asking for the credentials so it must be expecting to get them from somewhere else. My guess is that it can't find them where it is expecting them and in a last ditch effort it decides to try "root" with no password, hoping that the user left that door open.

[dhuelsmann]

Sorry, Joomla does not attempt to access the database prior to stage 2 of installation. Your server configuration is the issue. Try local pc install. You will get it eventually. Enough said.

[TomRivers]

Sorry, Joomla does not attempt to access the database prior to stage 2 of installation.

My logs say otherwise. If you think they don't, then I'm interested in hearing your explanation of why.

Your server configuration is the issue.

I've gone to great length to explain in detail everything but you have yet to say anything that counters any of the data I've presented. I appreciate your opinion, however it is not supported by the facts.

[dhuelsmann]

Do a google search on Joomla Access denied for user 'root'@'localhost' (using password: NO). You will find some. However it will be users who have issues trying to access their MYSQL databases directly - NOT trying to install Joomla. With millions of successful installs and one who can't, a person can only conclude that your position is untenable. And, it is likely a server configuration issue. Try on your pc as I suggested. If it goes smoothly what would your suspicion be as to the problem?

[TomRivers]

Do a google search on Joomla Access denied for user 'root'@'localhost' (using password: NO). You will find some. However it will be users who have issues trying to access their MYSQL databases directly - NOT trying to install Joomla

As I've said before, I can access my local database just fine. I also said I did an exhaustive search and found nothing relating to this error I am getting with installing Joomla.

With millions of successful installs and one who can't, a person can only conclude that your position is untenable. And, it is likely a server configuration issue.

I've responded to every point you have made in detail and you have not bothered to return the favor even once. If all you are going to do is continue to say it is my server configuration that is to blame without countering any of the factual evidence I have presented to the contrary, then I thank you for your time. You are not helping me solve the problem at hand.

[leolam]

I have followed this with interest and am kind of amazed @TomRivers that you are so stubborn and do not listen to Dave who is a real professional. What I see is that you are trying to connect to your local server and not to the online box. This I can see from

[Warning] Access denied for user 'root'@'localhost' (using password: NO)

since that is the connection you created in phpMyadmin with root as user and with no password (typical Xampp or Mamp server setup. This you never get when you connect to the installer with a database in Fedora or Centos if you have setup your MySQL credentials properly. This shows that you use SSH wrong and connect directly to the database and not through the Joomla installer

Review: https://www.google.com/?client=firefox- ... d%3A+NO%29

You are stubborn not wanting to read and digest properly. So if you connect to the Fedora box and directories properly and to the installer instead of directly to the database you will have no issues. Switch that button in your head?

Leo

[TomRivers]

I have followed this with interest and am kind of amazed @TomRivers that you are so stubborn and do not listen to Dave who is a real professional.

I answered every point he made in great detail and tried every suggestion he made except for the one to completely abandon trying to figure out why the Joomla installer is trying to access the database before asking for the very credentials it wants me to create for it. If I am wrong, please show me where.

By the way, I too have decades of experience with software development, database design and administration, network and systems security to name a few. That is why I have tried as hard as I could to be detailed and complete in my analysis. I don't want to give up. I want to solve the problem and it is most certainly not with my system configuration as far as the current facts indicate. If you think it is, kindly address any of the data points I have laid out in detail and we'll go from there.

What I see is that you are trying to connect to your local server and not to the online box. This I can see from

[Warning] Access denied for user 'root'@'localhost' (using password: NO)

since that is the connection you created in phpMyadmin with root as user and with no password (typical Xampp or Mamp server setup.

You are incorrect. I am SSH'ed into the target system that is local to the Joomla installation and the database instance. I didn't use phpAdmin - I clearly stated I used the MySQL command line. I also never said that I used XAMPP or MAMP. It is a stock Fedora 24 system.

I also clearly stated that I was able to use MySQL from the command line to connect to the database instance without difficulty and that other programs are able to interface with it without issue.

This you never get when you connect to the installer with a database in Fedora or Centos if you have setup your MySQL credentials properly. This shows that you use SSH wrong and connect directly to the database and not through the Joomla installer

I said I set up the credentials as the installation instructions specify and can use them to connect to the database. I also said I was using the Joomla Web Installer and all the data I have been providing covers its attempts to connect to the database. All of this is happening in the context of the local system, following the installation instructions to the letter, using the Joomla Web Installer and nothing to do with trying to tunnel the database connection over SSH.

I keep asking the question and nobody seems to want to answer it: "Why is the Joomla web installation wizard trying to access my database when it has never asked me for the credentials it needs?"

Review: https://www.google.com/?client=firefox- ... d%3A+NO%29

I also mentioned that i did a search, just like the one you posted, in the opening sentences of my initial post. I don't ask anything on a forum without researching it first.

You are stubborn not wanting to read and digest properly.

You completely ignored all of the detail I have attempted to provide and made false assumptions. Why don't you take a moment to address the technical points I have made and maybe together we can help debug why Joomla is misbehaving and help improve the product? I have authored open source software myself and understand how important it is to have a vibrant and engaged community. I'm trying to give something back.

So what do you say? Are you willing to roll up your sleeves and lend a hand?

[leolam]

Joomla is not misbehaving... I installed today Joomla 3.6.2 on 4 different client sites on 4 different hosting providers (2 x Centos, 1 x Cloudlinux, 1 x Ubuntu and this went as expected within 1 minute per site i.e 3 minutes where it was with a prepacked template demo

What you describe is non-Joomla behavior and has never been reported to me by my knowledge of this product and we run a Professional Support organization and have in the past 10 years solved over 27K support tickets by Joomla-users and what you described has never occurred because of Joomla as far as I can tell by my "little' experience.

Nothing to improve the product or to debug..... I can only repeat what Dave mentioned

With millions of successful installs and one who can't, a person can only conclude that your position is untenable.

Therefor nothing to roll up and if you want my 1:1 support I will roll up my sleeves if you purchase a support ticket from us and I will personally attend to the issue you face since further discussions here on the Joomla forum related to this, for me non-existing Joomla issue , is a waste of my time

Leo

[TomRivers]

Joomla is not misbehaving...

You and Dave keep saying that but you offer no counter argument to all of the data I've provided that says otherwise.

I installed today Joomla 3.6.2 on 4 different client sites on 4 different hosting providers (2 x Centos, 1 x Cloudlinux, 1 x Ubuntu and this went as expected within 1 minute per site i.e 3 minutes where it was with a prepacked template demo

Do you know whether any of those instances had the databases had their root account configured for localhost access with no password?

By the way XAMPP does, which is no wonder why the Joomla installation works as advertized. Don't take my work for it. Take a look at their documentation for yourself that supports what I have been saying since the beginning:

https://www.apachefriends.org/faq_windows.html

Is XAMPP production ready?

XAMPP is not meant for production use but only for development environments. The way XAMPP is configured is to be open as possible to allow the developer anything he/she wants. For development environments this is great but in a production environment it could be fatal.

Here a list of missing security in XAMPP:

The MySQL administrator (root) has no password.
The MySQL daemon is accessible via network.
ProFTPD uses the password "lampp" for user "daemon".
PhpMyAdmin is accessible via network.
The XAMPP demopage is accessible via network.
The default users of Mercury and FileZilla are known.

All points can be a huge security risk. Especially if XAMPP is accessible via network and people outside your LAN. It can also help to use a firewall or a (NAT) router. In case of a router or firewall, your PC is normally not accessible via network. It is up to you to fix these problems. As a small help there is the "XAMPP Security console".

Please secure XAMPP before publishing anything online. A firewall or an external router are only sufficient for low levels of security. For slightly more security, you can run the "XAMPP Security console" and assign passwords.

What you describe is non-Joomla behavior and has never been reported to me by my knowledge of this product and we run a Professional Support organization and have in the past 10 years solved over 27K support tickets by Joomla-users and what you described has never occurred because of Joomla as far as I can tell by my "little' experience.

Nothing to improve the product or to debug..... I can only repeat what Dave mentioned

With millions of successful installs and one who can't, a person can only conclude that your position is untenable.

Well I've seen it happen first hand and have provided a ton of details as to why I think it is occurring so now you can safely say it has been reported.

Therefor nothing to roll up and if you want my 1:1 support I will roll up my sleeves if you purchase a support ticket from us and I will personally attend to the issue you face since further discussions here on the Joomla forum related to this, for me non-existing Joomla issue , is a waste of my time

You know, it's really funny that nobody wants to answer the simple question I've posed. I will do all the programming required to fix this on my own time and turn over the patch to your team but I would just like someone to tell me what module in the installation process is attempting to use the root account with no password during Step 1 of the Web Installer so I don't have to go learn your code base myself. Why is that so hard for someone of your experience to do? Just tell me the name of it and I will do all the rest.

I wanted to use Joomla because someone recommended it to me and in the process of installing it I found a bug that arguably has severe security implications for anyone like me attempting to install it on a public facing physical server. I asked politely if I could get someone to help me narrow down the search for the cause so I could fix it myself, and I get this kind of attitude from people who call themselves professionals. I'm sorry if my unwillingness to give up on using the Web Installer has offended you in some way, but I was really hoping to try to find a way to fix this problem without pulling apart the code myself by asking a simple question.

Who would've thought that would be so hard to answer.

[leolam]

what module in the installation process is attempting to use the root account with no password during Step 1 of the Web Installer

None .... as stated setup and server. No need for Xampp documentation Sir. We have in our business operations both Xampp and Mamp servers for local testing. A production ready Mamp-server is the Uniform server(we use in testing as well)

If you think we have a bug feel free to post this on the Issues Tracker at https://issues.joomla.org after which you can create a pull request on Github

Cheers

Leo

[TomRivers]

None .... as stated setup and server.

As my server logs indicate, my local Apache server processes both a POST and GET when I click Next on Step 1 of the Web Installer that results in simultaneous corresponding "access denied" messages in my database logs so I respectfully beg to differ.

Regardless, I have traced some of the processing the index.php program does when the form is submitted, but there are a lot of class modules and other inner working with which I am not familiar. This is why I posed the question here hoping someone would know what piece of code is responsible for handling the database access at the end of Step 1 so I could work around it and eventually propose/submit a fix.

No need for Xampp documentation Sir. We have in our business operations both Xampp and Mamp servers for local testing. A production ready Mamp-server is the Uniform server(we use in testing as well)

The only reason I included that documentation is because it helps support the theory I have been voicing all along - the Web Installer is attempting to access the database using root with no password. It also demonstrates why some people can install Joomla without a hitch and why I am having the problem I am having because I have a password on my root account.

If you think we have a bug feel free to post this on the Issues Tracker at https://issues.joomla.org after which you can create a pull request on Github

I posted something in the Security forum about this very issue but my post was deleted and nobody explained why. I initially thought about posting an actual bug entry in the Issue Tracker but I figured I would post in the Security forum first to see if that was sufficient. I've worked on large projects before and I know how busy things can get so I didn't want to involve anyone unnecessarily. Since my post in the Security Forum was evidently not acceptable for whatever reason, I question whether a post in the Issues Tracker will receive the same treatment. If I do take the time to file a bug and that post also gets deleted, to whom do I go to find out why? In fact, I would really like to hear the reason why my other post was deleted as well.

On a side note, I am the project lead for a new business venture and some of the visual designers we've contacted have suggested Joomla as the base for the web site the company wants to build. Part of the reason I was installing it in the first place on my server, the action that ultimately brought me here, was I wanted to get a feel for the technology so I could help analyze the product's fitness for our project. The team hasn't made a decision regarding what platform to use yet and I am concerned about whether Joomla is a good fit at this point because it seems to be designed for implementations, at least initially, where security is not a prime consideration. Since this site will be processing payments and handling other sensitive information, I have to ask whether Joomla is a good fit for a large company or if it is better suited to smaller, non-commercial ventures that don't need to worry about security as much and don't typically deploy to servers they own outright that aren't part of some hosting facility offering. Can you either comment on that or refer me to someone who can?

[leolam]

I can only guess that the issue you posted on "security" was considered a cross post of this thread otherwise they won't get deleted unless spam or other breaches in the rules.

http://showcase.joomla.org for sites submitted (sites submitted by developers and interested parties
http://joomlagov.info/

Peugeot, Ikea, Porsche - Brazil, Shell-Car Services Park, Mitsubishi-Poland, General electric, McDonalds, Harvard Uni, IHOP, iTWire to mentioned a couple (of Multinationals or well known institutes) using Joomla for their operations.

Security: Joomla operates a Security Strike Team ( consisting of security specialists )that proactively interacts with the Community, Security Advisers, External Sources and others. Security Patches are implemented vigorously and tested by the CMS-Release Team in close cooperation with JST. Read more:

https://developer.joomla.org/security-centre.html
https://vel.joomla.org

No matter what you choose, as long as you keep it up to date, most of the danger will come from server-level security and third party code. On server level we in our hosting operations use as example for protection the entire commercial and freely available subsystems from Configserver on our cPanel driven servers as well as Cisco Firewalls in combination of CacheFS on Cloudlinux. You can extend this to 'help' with Joomla extensions such as the WAF-Firewall extension by Akeebabackup in Admin Tools or RS-Firewall. These extensions are never sufficient since again the server safety is crucial. Here we agree for sure.

The biggest area where security flaws come from is from 3rd party add-ons (modules, components, plugins, etc). Joomla itself is secure. Vulnerabilities found in 3rd party extensions and/or reported by users or 'watchers' will lead to delisting of the extension in the extension directory, listing on the VEL and other publications till the extensions have been patched and tested. Other issues in security that lead to hacks is not complying to file and folder permissions as described in our extensive and well documented Security Portal https://docs.joomla.org/Security

Issues are not removed but will be closed if no evidence can be provided or the issue cannot be reproduced by the JBS (Joomla Bug Squad) and core contributors. Than it will be marked as a non-issue.

Leo

[TomRivers]

Thanks for the information, Leo.

[TomRivers]

For anyone still following this thread and as concerned as I am that nobody wants to admit there is a problem with the Joomla Web Installer, I have decided to see if I can find the answer myself to the question of why it is surreptitiously accessing my database using the root account with no password instead of first prompting me for the credentials the installation instructions ask me to create for it to do its job.

As luck would have it, I have experience as a PHP programmer and have built online ordering web sites from scratch myself that deal with wholesale distribution system databases on the back-end in the past, so I am armed with at least a fair understanding of the landscape in general. Since it isn't easy to trace what's happening during the installation process of a third-party app like Joomla without a road map (and nobody is providing one so far) and a bunch of time to digest how it is put together, I decided to take a novel approach and started by removing read access to all of the Joomla files in the libraries/joomla/database/driver folder on my server. After that, I fired up the web installer and was promptly greeted with the following message in my web browser:

Database Error: Unable to load Database Driver: mysqli

I checked my web server and database logs and only found this in the Apache error_log:

[Wed Aug 31 19:21:15.578627 2016] [:error] [pid 14621] [client XXX.XXX.XXX.XXX:9811] PHP Warning: include(): Failed opening '/xxxxxxxx/libraries/joomla/database/driver/mysqli.php' for inclusion (include_path='.:/usr/share/pe
ar:/usr/share/php') in /xxxxxxxx/libraries/loader.php on line 599

Evidently it doesn't like the fact it can't get a driver file and I don't blame it - it's a required part of the installation process. However, now I know that the installation/index.php file which is the heart of the Web Installer is using libraries/loader.php to get the driver file libraries/joomla/database/driver/mysqli.php when it first loads.

I went back to the server and restored the original permissions to the libraries/joomla/database/driver/mysqli.php file. When I refreshed the page with the error, I now was able to see the page for Step 1 of the Web Installer just as expected. Without clicking on anything on that page, I went back to look at the log files again to see what, if anything, had been recorded. This is what I found:


Apache error_log
======================================
[Wed Aug 31 19:39:14.668702 2016] [:error] [pid 8319] [client XXX.XXX.XXX.XXX:9975] PHP Warning: include(): Failed opening '/xxxxxxxx/libraries/joomla/database/driver/pdo.php' for inclusion (include_path='.:/usr/share/pear:/usr/share/php') in /xxxxxxxx/libraries/loader.php on line 599

Database log
======================================
2016-08-31 19:39:14 140276722801408 [Warning] Access denied for user 'root'@'localhost' (using password: NO)


Even though the page displayed without generating an error, since it now had access to a valid driver file, it attempted to access my database as root without a password at the exact same second the page was loaded by the web server. I immediately went back and removed the permissions on the libraries/joomla/database/driver/mysqli.php file and started typing up my findings. While in the process of doing that, the Apache error log I was following in real-time flashed up two more interesting lines:


[Wed Aug 31 19:44:15.130371 2016] [:error] [pid 14650] [client XXX.XXX.XXX.XXX:10003] PHP Warning: include(/xxxxxxxx/libraries/joomla/database/driver/mysqli.php): failed to open stream: Permission denied in /xxxxxxxx/libraries/loader.php on line 599, referer: http://xxxxxxxx/installation/index.php
[Wed Aug 31 19:44:15.130420 2016] [:error] [pid 14650] [client XXX.XXX.XXX.XXX:10003] PHP Warning: include(): Failed opening '/xxxxxxxx/libraries/joomla/database/driver/mysqli.php' for inclusion (include_path='.:/usr/share/pear:/usr/share/php') in /xxxxxxxx/libraries/loader.php on line 599, referer: http://xxxxxxxx/installation/index.php


Evidently it is not only attempting to access the database with the superuser credentials as soon as the Web Installer page is loaded, it is automatically retrying after a period of time has elapsed. I waited a bit to see if this was in fact the case and was not disappointed. Five minutes later, to the second, I saw the following lines appear in the Apache error log:


[Wed Aug 31 19:49:15.217554 2016] [:error] [pid 14645] [client XXX.XXX.XXX.XXX:10029] PHP Warning: include(/xxxxxxxx/libraries/joomla/database/driver/mysqli.php): failed to open stream: Permission denied in /xxxxxxxx/libraries/loader.php on line 599, referer: http://xxxxxxxx/installation/index.php
[Wed Aug 31 19:49:15.217613 2016] [:error] [pid 14645] [client XXX.XXX.XXX.XXX:10029] PHP Warning: include(): Failed opening '/xxxxxxxx/libraries/joomla/database/driver/mysqli.php' for inclusion (include_path='.:/usr/share/pear:/usr/share/php') in /xxxxxxxx/libraries/loader.php on line 599, referer: http://xxxxxxxx/installation/index.php


I hope this finally puts to rest the false notion that the Joomla Web Installer doesn't try to access the database as root with no password because it clearly does - repeatedly. Not only that, but it does so without ever prompting for the credentials it explicitly asks you to create before directing you to run the Web Installer. For the record, below is a section of the instructions given in the installation/INSTALL text file provided with the download:

1. DOWNLOAD Joomla

<snip>


2. CREATE THE Joomla! DATABASE

Joomla! will currently work with MySQL, MSSQL and PostgreSQL but
the following instructions are for MySQL. Refer to the relevant
documentation if you are using another database.

You can use your web control panel or phpMyAdmin to
create a database for Joomla.

Alternatively you can create a database with the CLI.
In the following examples, "db_user" is an example MySQL user
which has the CREATE and GRANT privileges. You will need to use
the appropriate username for your system.

First, you must create a new database for your Joomla! site eg

$ mysqladmin -u db_user -p create Joomla

MySQL will prompt for the 'db_user' database password and then create
the initial database files. Next you must login and set the access
database rights eg

$ mysql -u db_user -p

Again, you will be asked for the 'db_user' database password. At the
MySQL prompt, enter following command:

GRANT ALL PRIVILEGES ON Joomla.*
TO nobody@localhost IDENTIFIED BY 'password';

where:

'Joomla' is the name of your database
'nobody@localhost' is the userid of your web server MySQL account
'password' is the password required to log in as the MySQL user

If successful, MySQL will reply with

Query OK, 0 rows affected

to activate the new permissions you must enter the command

flush privileges;

and then enter 'exit' or 'quit' to exit MySQL.

3. WEB INSTALLER

Finally point your web browser to http://www.example.org where the Joomla! web
based installer will guide you through the rest of the installation.

The fact is the Joomla Web Installer is configured by default to try to connect to your local MySQL database instance as root with no password specified. If your root account is password protected - like it should be - then your installation will proceed no further and you will be given no indication that anything has happened or will happen for that matter. You can sit there all day long clicking "Next" to move on to Step 2 where it is supposed to ask you for the credentials you were supposed to create previously, but you won't be able to go anywhere. Meanwhile, the program will continue to try to gain access to the database, without your knowledge or permission, every 5 minutes until you exit the page.

Pretty interesting, huh?

[TomRivers]

I am pleased to report that I have finally found the source of the problem. The code in question is part of the file libraries/joomla/database/driver/mysqli.php and it explicitly sets the user to root without a password in the constructor of the JDatabaseDriverMysqli class. Below is the section of code in question:

Code: Select all

public function __construct($options)
        {
                // Get some basic values from the options.
                $options['host']     = (isset($options['host'])) ? $options['host'] : 'localhost';
                $options['user']     = (isset($options['user'])) ? $options['user'] : 'root';
                $options['password'] = (isset($options['password'])) ? $options['password'] : '';
                $options['database'] = (isset($options['database'])) ? $options['database'] : '';
                $options['select']   = (isset($options['select'])) ? (bool) $options['select'] : true;
                $options['port']     = (isset($options['port'])) ? (int) $options['port'] : null;
                $options['socket']   = (isset($options['socket'])) ? $options['socket'] : null;

                // Finalize initialisation.
                parent::__construct($options);
        }

For anyone that doesn't know PHP, the lines in the code snippet above that start with "$options[" are assignment instructions that conditionally prime the contents of key components used to connect to the database. Let's walk through the statement that deals with setting the value for "user". The part in bold below checks to see if the value for "user" is already specified:


$options['user'] = (isset($options['user'])) ? $options['user'] : 'root';


If it is, then this part of the statement in bold is executed and the existing value is kept as is:


$options['user'] = (isset($options['user'])) ? $options['user'] : 'root';


If it isn't, then the part of the statement in bold following the colon is activated and the component is assigned a default value - in this case it's the value "root":


$options['user'] = (isset($options['user'])) ? $options['user'] : 'root';


With respect to the Web Installer issue I've been detailing, there is no way it can possibly know what database credentials have been created for it when it first launches. Now here is the proof that it is explicitly using the superuser account as its default - a practice that is definitely not security-oriented.

I will continue my research into developing a viable work-around to this issue that is easy to use and will post my progress here.

[leolam]

This is not the place to post these issues. You will need to open an Issue on the Issue Tracker so we can work with you otherwise nothing will happen with your posts. Understand the logic of having one place to post Issues and Pull Requests on Github that are interlinked.

We won't be able to proper react here and modify any code which you submit. The forum is not the correct place. I will ask to lock this thread now so you can proceed further on the Issue Tracker which is the correct place for this discussion from now onward I believe.

Leo

[TomRivers]

This is not the place to post these issues.

Do you believe what I've been trying to tell you and David now? I have to be honest it's been very frustrating trying to get you two to listen to what I have been trying to say. Add to that the fact my post in the Security Forum was deleted without notice or explanation and I think you can see why I haven't been feeling the love.

I hope now you understand why I didn't want to give up and why I am continuing to try to help improve the product in good faith.

[TomRivers]

Since this post has been moved from the Installation Forum to the Bug Reporting Forum, I'm going to assume that I have finally convinced all the nay-sayers that this is a legitimate issue. That's good, because I would really like to install Joomla and I'm not about to remove the password for root in order to make the Web Installer get past square one.

I have done some additional testing since last night by substituting my newly created Joomla database credentials as the defaults in the libraries/joomla/database/driver/mysqli.php and libraries/joomla/database/driver/pdo.php files but that only suppresses the errors in the logs - I am still stuck on Step 1. I am willing to do the work to help fix this, but it would be a big help if someone could point me in the right direction.

For the short term, the fix could be to bypass whatever it is that is not allowing me to progress to Step 2. Once there, the database credentials can be entered and the installation can proceed. In order to do that, I need to have some details on what code is executing up until that point. If someone could post the modules involved and a quick summary of the execution sequence, I'll get to work right away. If that's not possible, then a link to any documentation that would cover that part of the process as specifically as possible would be great.

Thanks!

[leolam]

You have been asked to open an Issue on the Tracker by all involved including Robert Deutz in PMB (PLT-Member). We do not acknowledge this is a bug but we have opened up for you. However you seem to be reluctant to proceed common Joomla practice as requested here and in Private Messages. That is regretful.

We can do now 2 things.... You keep 'trolling' (and I start considering your replies here as such) on the forums and we will certainly block your entries here or even ban you or you concur to the requests by many people here on the forums in public and/or private messages to open an issue on the Tracker.

Now open an Issue on this Tracker and stop posting your (non-productive) comments here and be helpful or get the consequences of being considered a troll?

Leo