Re: [cobalt-users] Re: phpMyAdmin multi-user

["Steve Werby" <steve-lists@xxxxxxxxxxxx>]

"Brent Sims" <bs@xxxxxxxxxxx> wrote:
> On Thu, 30 Aug 2001, Steve Werby wrote:
>
> } Brent and others, it's trivial in *modern* versions of phpMyAdmin to
> } configure the software to only allow users to access (and view the names
of)
> } databases for which they have privileges.
>
> Hi Steve,
>
> I'm sorry but preventing someone from viewing the database
> names is not quite trivial. Not looking for a fight. Should have
> kept my mouth shut as I don't have time for this kind of thing but
> I just can't let this one slide by.

Not to worry Brent, I'm not looking for a fight either.  Like you, I've been
active on these lists for some time and I've come to respect your opinions.
Re-read below the line of yours I took issue with.  Then re-read the line of
mine above you quoted.

Brent> Every installation of phpmyadmin that I've done, and I've
Brent> done a few hundred installations, could see all of the
Brent> databases hosted on the server.

So you see that you said you've done hundreds of phpMyAdmin installations
where all of the database names were visible.  I simply pointed out that it
is possible (and IMHO) quite trivial to avoid that behavior and I maintain
it's trivial because the means for doing so are clearly described and
stronly suggested in the documentation for phpMyAdmin.  Perhaps I should
have added "through phpMyAdmin" to the end of my statement.  I never meant
to suggest that following my sugggestion would prevent access through other
software.

> I just installed phpmyadmin 2.2.0 - the latest version
> according to the information on the web site. The install was down
> and dirty - I simply stuffed a valid user name and password into
> applicable fields in the config file and pointed a browser at it.
> While it did indeed limit me to only viewing the databases for which
> the user name and password I used were granted privileges to it
> still provided all of the clues one needs to obtain a list of
> databases. I simply cut and pasted the information displayed on one
> of the phpmyadmin screens to another script which I just downloaded
> from cgi-resources.com and there I was - looking at a list of the
> databases hosted on our mysql server - all without shell access.

Interesting.  Care to share how to find the info. you are referring to?  I'm
sure others would be interested as well.  I think we're both right, Brent.
As you recall, the original poster was trying to find out how to prevent
users from seeing the full list of databases in phpMyAdmin.  You suggested
it can't be done without manually specifying the specific DBs to display.  I
suggested it could be done and done in a much simpler way.  I never said
that access to the list of DBs couldn't be achieved through other means.  In
fact, I said that it could be done by anyone with shell access.  Of course
what I really should have said is it can be achieved by anyone that can get
a hold of the MySQL root user password or the contents of the phpMyAdmin
file or the user/pwd for any MySQL user with SELECT privileges on the mysql
DB.

> Worse yet, perhaps, I left our original phpmyadmin
> installation in place and even though I was logged in to a
> non-privileged garden variety user account, well, let's just just
> say it's best to run PHP in the safe mode in a virtual hosting
> environment.

By default PHP is not configured with shared servers in mind.  Unless
configured properly MySQL users can have greater privileges than they
should.  If passwords are easy to guess then the privilege system is
useless.  And on and on.

> I'm not saying you don't know your business I just hate
> seeing people inadvertently (I know your intentions are good
> and that you are very clueful) lured into a false sense of security.

IMO you read too much into what I was trying to say.  If I did a poor job
communicating my apologies.

> I'm not a cracker. I don't even consider myself to be a knowledgeable
> system admin. I use FrontPage which, I am often told by those who
> know about this stuff than I do, tells the whole world that I'm
> entirely clueless... nevertheless, getting a list of database names
> was indeed trivial for this clueless old fart, and from the looks of
> things

I decided against making this argument before, but now I will.  As a server
admin I use strong passwords for MySQL users.  They're stored encrypted in
the database and though it's possible to eventually crack them, it will
likely take a very long time.  As such I see little risk in anyone knowing
the names of the databases on a server.  Though one might prefer the
database names not to be known, what is the harm if they are known?  Perhaps
users can find out the names of your other hosted sites if you name your
databases after them, but you can name the databases 'rybcekpd' if you want.
If this truely is a concern a server admin should do the following (among
other things):

1. Run PHP in safe_mode with open_basedir set, etc.
2. Do not allow shell access to the server or if you do then install and
force a shell that jails users.
3. Do not let users set passwords for system accounts and MySQL accounts.
4. Only allow access to MySQL from localhost or optionally control machine
access via ipchains.
5. Setup individual copies of phpMyAdmin for each site that needs it using
basic authentication and the user's MySQL user/pwd and a .htaccess file to
prevent others from accessing.

For the truely paranoid:

6. Install a new copy of MySQL for each user.  That means a new installation
running on a separate port.  This has other benefits as each install of
MySQL can be configured and optimized to suit the needs of the user.
7. Monitor and control the software that's installed on the server and stay
on top of all the latest publicized security exploits.

> unless PHP is running in the safe mode and phpmyadmin has
> been configured to use advanced authentication, getting at the
> databases themselves, very possibly even the root account on mysql,
> wouldn't take much more effort than getting the database names did.

Woah there, Brent!  We're all entitled to an opinion, but I consider that
unfounded speculation.  Your perception was that my comments suggested a
false sense of security and my perception is that your comments suggest the
opposite.  I enjoy the Cobalt lists b/c knowledgeable people like you and I
can have different opinions and discuss them in a civil manner.  If nothing
else, hopefully you, I and the rest of the list have learned something new
and can make educated decisions based on what we now know.  And I hope you
don't consider my reply a fight.  I'm simply providing additional info and
explanations and my own opinion.  I don't maintain that I'm all-knowing.
<g>

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/