configure phpmyadmin on debian sarge

cccc · 04-04-2006, 04:31 PM

hi

I have apache2 and phpmyadmin installed on debian sarge stable:

Code:

# dpkg -l | grep apache2
ii  apache2        2.0.54-5       next generation, scalable, extendable web se
ii  apache2-common 2.0.54-5       next generation, scalable, extendable web se
ii  apache2-doc    2.0.54-5       documentation for apache2
ii  apache2-mpm-pr 2.0.54-5       traditional model for Apache2
ii  apache2-utils  2.0.54-5       utility programs for webservers
ii  libapache2-mod 1.999.21-1     Integration of perl with the Apache2 web ser
ii  libapache2-mod 4.3.10-16      server-side, HTML-embedded scripting languag
# dpkg -l | grep phpmyadmin
ii  phpmyadmin     2.6.2-3sarge1  set of PHP-scripts to administrate MySQL ove
# dpkg -l | grep php4
ii  php4           4.3.10-16      server-side, HTML-embedded scripting languag
ii  php4-cli       4.3.10-16      command-line interpreter for the php4 script
ii  php4-common    4.3.10-16      Common files for packages built from the php
ii  php4-mysql     4.3.10-16      MySQL module for php4
ii  php4-snmp      4.3.10-16      SNMP module for php4

I have 5 different domains and 5 different virual servers pointed to these domains.
every domain should has its own mysql database and needs the access via phpmyadmin.

in /usr/share/phpmyadmin/config.inc.php I have the following authentication:

Code:

$cfg['Servers'][$i]['auth_type']     = 'http';      // Authentication method (config, http or cookie based)?
$cfg['Servers'][$i]['user']          = '';          // MySQL user
$cfg['Servers'][$i]['password']      = '';          // MySQL password (only needed
                                                    // with 'config' auth_type)
$cfg['Servers'][$i]['only_db']       = '';          // If set to a db-name, only

I've added in /etc/apache2/sites-enabled/000-default the following entries:

Code:

# Provide an alias to phpmyadmin
Alias /phpmyadmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
        Order allow,deny
	allow from all
</Directory>

now every user, even root can access via phpmyadmin
and it doesn't matter which domain or ip address (I mean all domains pointed to my webserver) is in the browser.
howto prevent that ?
the user shuold access via phpmyadmin only using his own domain in the browser.

my second problem is howto block mysql admin (root) user on phpmyadmin
for a security reason ?