LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 11-04-2011, 09:38 PM   #1
sneakyimp
Member
 
Registered: Dec 2004
Posts: 791

Rep: Reputation: 49
need clean, secure installation of phpmyadmin


I have an Ubuntu 10.04 server that I've taken great pains to set up securely and I would like to install phpMyAdmin on this machine to allow me to administer MySQL databases. I have run this:
Code:
apt-get install phpmyadmin
and I'm not entirely pleased with the behavior of the Ubuntu package install for a few reasons:
1) The install process prompted me to ask if I wanted to use dbconfig-common with phpMyAdmin without telling me what the ramifications might be. As I already had my database functioning, I chose not to.
2) phpMyAdmin is configured for plain old HTTP (rather than HTTPS) access. It is critical that all interactions with phpMyAdmin be served via HTTP
3) Trying to access phpmyadmin at the default location (which I believe is http://www.mydomain.com/phpmyadmin) results in a 403/Forbidden response from my server. This is either because there's a problem in the newly installed file /etc/apache2/conf.d/phpmyadmin.conf (which is actually a symbolic links to /etc/phpmyadmin/apache.conf) or perhaps I have some other conflicting configuration.
4) The install results in a phpmyadmin/setup url which is not adequately explained in the documentation (/usr/share/doc/phpmyadmin/Documentation.html). I don't really understand what this setup script will do and wonder if it's necessary.
5) The package install results in a lot of files in the bin folder:
/usr/sbin/pma-configure
/usr/sbin/pma-secure
/usr/sbin/dbconfig-generate-include
/usr/sbin/dconfig-load-include


If anyone has any tips or heuristic guidlines to achieve the following, I'd love to hear about it:
1) phpmyadmin only accessible via HTTPS
2) phpmyadmin requires login using MySQL user and credentials
3) phpmyadmin configuration is as simple as possible and does not install binaries I will never use
4) phpmyadmin is *secure*.
 
Old 11-05-2011, 03:52 AM   #2
j-ray
Senior Member
 
Registered: Jan 2002
Location: germany
Distribution: ubuntu
Posts: 1,413

Rep: Reputation: 99
2) is a server question. You have to setup a virtual host running on https that provides access to phpmyadmin.

3) Try to add "index.php" to the url. If that works the 403 error results in a missing directive in the httpd.conf regarding <Directory>. You have to set Options +Index in that tag.

4) run that script. It will ask a couple of infos that it needs for db access...
 
1 members found this post helpful.
Old 11-05-2011, 03:26 PM   #3
sneakyimp
Member
 
Registered: Dec 2004
Posts: 791

Original Poster
Rep: Reputation: 49
2) I've begun working on an HTTPS directive in the file /etc/apache2/sites-available/default-ssl. The code below is what I have currently inside the _default_:443 VirtualHost section:
Code:
        Alias /pma /usr/share/phpmyadmin

        <Location /pma>
                AuthUserFile /var/www/.htpasswd
                AuthName "phpMyAdmin"
                AuthType Basic
                require valid-user
                Order deny,allow
                #    Deny from all
                Allow from 127.0.0.1
                Allow from ::1
                # Allow from .example.com
        </Location>
However, this is considerably simpler than the phpmyadmin.conf installed by apt-get:
Code:
$ cat /etc/apache2/conf.d/phpmyadmin.conf
# phpMyAdmin default Apache configuration

Alias /phpmyadmin /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
        Options FollowSymLinks
        DirectoryIndex index.php

        <IfModule mod_php5.c>
                AddType application/x-httpd-php .php

                php_flag magic_quotes_gpc Off
                php_flag track_vars On
                php_flag register_globals Off
                php_value include_path .
        </IfModule>

</Directory>

# Authorize for setup
<Directory /usr/share/phpmyadmin/setup>
    <IfModule mod_authn_file.c>
    AuthType Basic
    AuthName "phpMyAdmin Setup"
    AuthUserFile /etc/phpmyadmin/htpasswd.setup
    </IfModule>
    Require valid-user
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/libraries>
    Order Deny,Allow
    Deny from All
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
    Order Deny,Allow
    Deny from All
</Directory>

3) Adding index.php to the url doesn't help. http://www.mydomain.com/phpmyadmin/index.php still gives "forbidden 403".

4) When you say "run that script" do you mean visit it in a browser? If that's what you mean, then I have and as far as I can tell this allows one to change the phpmyadmin settings (blowfish secret, etc.) in a browser and requires that apache have write access to a particular folder. This runs contrary to my desire for security and I'd rather just change configuration settings via ssh if possible. Is it safe to remove this setup directory?

5) What about all the extra executables in /usr/sbin? Are they required by phpmyadmin?
 
Old 11-05-2011, 04:41 PM   #4
sswuste
LQ Newbie
 
Registered: Nov 2011
Posts: 10

Rep: Reputation: Disabled
Quote:
Originally Posted by sneakyimp View Post
3) Adding index.php to the url doesn't help. http://www.mydomain.com/phpmyadmin/index.php still gives "forbidden 403".
Does you webserver log file not tell you why it is showing a 403?
 
Old 11-05-2011, 05:13 PM   #5
sneakyimp
Member
 
Registered: Dec 2004
Posts: 791

Original Poster
Rep: Reputation: 49
Quote:
Originally Posted by sswuste View Post
Does you webserver log file not tell you why it is showing a 403?
it does...

Code:
 client denied by server configuration: /usr/share/phpmyadmin
client denied by server configuration: /usr/share/phpmyadmin/index.php
But that doesn't exactly tell us much.
 
Old 11-05-2011, 05:25 PM   #6
sswuste
LQ Newbie
 
Registered: Nov 2011
Posts: 10

Rep: Reputation: Disabled
I think you do not allow your webserver to browse that directory.

Look in your httpd.conf file and see if your directory is in something like this:

<Directory "/var/www">
Order allow,deny
Allow from all
</directory>


So in your case:

<Directory "/usr/share/phpmyadmin">
Order allow,deny
Allow from all
</directory>
 
Old 11-09-2011, 12:42 PM   #7
sneakyimp
Member
 
Registered: Dec 2004
Posts: 791

Original Poster
Rep: Reputation: 49
I looked in the file /etc/apache2/sites-enabled/000-default and saw this:
Code:
#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
    Options -Indexes FollowSymLinks
    AllowOverride None
    Order Deny,Allow
    Deny from all
</Directory>
This looks to be security-related and it's my assumption that this is what prevent access to the /usr/share/phpmyadmin directory.

So I've cleaned up my apache configuration.

I removed the phpmyadmin.conf:
Code:
rm /etc/apache2/conf.d/phpmyadmin.conf
I edited /etc/apache2/sites-available/default-ssl and added this bit to the end of the VirtualHost directive for _default_:443
Code:
        Alias /phpmyadmin /usr/share/phpmyadmin
        <Directory /usr/share/phpmyadmin>
                Options FollowSymLinks
                # overrides security restriction
                Order allow,deny
                allow from all
                DirectoryIndex index.php

                <IfModule mod_php5.c>
                        AddType application/x-httpd-php .php

                        php_flag magic_quotes_gpc Off
                        php_flag track_vars On
                        php_flag register_globals Off
                        php_value include_path .
                </IfModule>
                <IfModule mod_authn_file.c>
                        AuthType Basic
                        AuthName "phpMyAdmin"
                        AuthUserFile /path/to/my/.htpasswd
                </IfModule>
                Require valid-user
        </Directory>
        # Disallow web access to directories that don't need it
        <Directory /usr/share/phpmyadmin/libraries>
                Order Deny,Allow
                Deny from All
        </Directory>
        <Directory /usr/share/phpmyadmin/setup/lib>
                Order Deny,Allow
                Deny from All
        </Directory>
I now have access to phpmyadmin via HTTPS and it's protected by apache auth. It is not accessible via HTTP which is great.
 
  


Reply

Tags
phpmyadmin, phpmyadmin-over-ssl, pma, ssl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
problem on phpMyAdmin installation doublealice Linux - Newbie 2 05-10-2011 09:21 AM
phpmyadmin installation on fedora sriphp Linux - Newbie 28 05-01-2009 02:22 AM
phpmyadmin installation on fedora sriphp Linux - Software 2 04-30-2009 12:07 PM
phpmyadmin installation on fedora sriphp Linux - Software 2 04-30-2009 12:06 PM
PHPMyAdmin 2.5.1 installation VincentB Linux - Software 3 07-19-2003 04:03 AM


All times are GMT -5. The time now is 09:21 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration