[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Re: phpMyAdmin multi-user

Subject: Re: [cobalt-users] Re: phpMyAdmin multi-user
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Thu Aug 30 12:00:39 2001
Organization: Befriend Internet Services LLC
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

"Brent Sims" <bs@xxxxxxxxxxx> wrote:
> On Thu, 30 Aug 2001, Jorge Otero wrote:
>
> } I remember a customer/friend alerting me (a couple of weeks ago) that he
> } could _see_ the names of all the databases. Only that he couldn't access
> } them or change them.
> }
> } I guess this means I need to change some settings, but where?
>
> Every installation of phpmyadmin that I've done, and I've done a few
> hundred installations, could see all of the databases hosted on the
> server. If those databases are properly configured (you didn't give
> any of your MySQL users file privliges, did you?) and if the user
> using a phpmyadmin installation does not have a password for any of
> the other databases that user will only be able to view the database
> names though.

Brent and others, it's trivial in *modern* versions of phpMyAdmin to
configure the software to only allow users to access (and view the names of)
databases for which they have privileges.  And it's covered in the
documentation file.  See $cfgServers[n]['adv_auth'].  In the config file you
simply need to specify the user/pwd for a user who can read the mysql DB's
user and db tables.  Then every user will be required to enter their
username and password upon accessing the software.  Yes, it's that simple.
I know because I've done it dozens of times.  <g>  Because I've done it a
lot it probably seems simpler to me than it did when I first did it so here
are some hints.

Create a MySQL user granted SELECT privileges in the 'user' table and on the
'db' table and allow the user to only have access from 'localhost' and only
to the 'mysql' db.  Use that user/pwd in the config file's standard user/pwd
section.  Set adv_auth to TRUE.  When you login to phpMyAdmin supply the
MySQL username/pwd of any MySQL user.  If the user has privileges on 1 DB
that DB will be listed, if the user has privileges to 3 DBs then 3 DBs will
be listed, if the user is 'root' all DBs will be listed and so forth.  Happy
MySQL administrating!

FYI, the config file is world-readable so any users with shell access will
be able to read it.  It hardly matters though since:

1. In most cases someone who uses phpMyAdmin will probably not have shell
access and/or will not know how to access the MySQL commandline.

2. If the user did gain access to MySQL they'll be able to do nothing more
than view the privilege system (essentially db names, users and encrypted
password) and if setup properly with good passwords there's little they'll
be able to do with that info.

These worries can be addressed as well, but are probably not worth the
hassle.  And I'm saying that as someone who's generally overly paranoid and
cautious with security matters.  If I'm wrong or not making much sense
forgive me.  I've been up since 3:45 AM and I'm enterting the
trance-like-superhuman-yet-somewhat-delirious-phase.  <g>

HTH,

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

Follow-Ups:
- Re: [cobalt-users] Re: phpMyAdmin multi-user
  - From: Brent Sims

References:
- Re: [cobalt-users] Re: phpMyAdmin multi-user
  - From: Brent Sims

Prev by Date: Re: [cobalt-users] Re-installing OS on RaQ3
Next by Date: Re: [cobalt-users] Questions abot log
Previous by thread: RE: [cobalt-users] Re: phpMyAdmin multi-user
Next by thread: Re: [cobalt-users] Re: phpMyAdmin multi-user

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index