need clean, secure installation of phpmyadmin

sneakyimp · 11-04-2011, 09:38 PM

I have an Ubuntu 10.04 server that I've taken great pains to set up securely and I would like to install phpMyAdmin on this machine to allow me to administer MySQL databases. I have run this:

Code:

apt-get install phpmyadmin

and I'm not entirely pleased with the behavior of the Ubuntu package install for a few reasons:
1) The install process prompted me to ask if I wanted to use dbconfig-common with phpMyAdmin without telling me what the ramifications might be. As I already had my database functioning, I chose not to.
2) phpMyAdmin is configured for plain old HTTP (rather than HTTPS) access. It is critical that all interactions with phpMyAdmin be served via HTTP
3) Trying to access phpmyadmin at the default location (which I believe is http://www.mydomain.com/phpmyadmin) results in a 403/Forbidden response from my server. This is either because there's a problem in the newly installed file /etc/apache2/conf.d/phpmyadmin.conf (which is actually a symbolic links to /etc/phpmyadmin/apache.conf) or perhaps I have some other conflicting configuration.
4) The install results in a phpmyadmin/setup url which is not adequately explained in the documentation (/usr/share/doc/phpmyadmin/Documentation.html). I don't really understand what this setup script will do and wonder if it's necessary.
5) The package install results in a lot of files in the bin folder:
/usr/sbin/pma-configure
/usr/sbin/pma-secure
/usr/sbin/dbconfig-generate-include
/usr/sbin/dconfig-load-include

If anyone has any tips or heuristic guidlines to achieve the following, I'd love to hear about it:
1) phpmyadmin only accessible via HTTPS
2) phpmyadmin requires login using MySQL user and credentials
3) phpmyadmin configuration is as simple as possible and does not install binaries I will never use
4) phpmyadmin is *secure*.

j-ray · 11-05-2011, 03:52 AM

2) is a server question. You have to setup a virtual host running on https that provides access to phpmyadmin.

3) Try to add "index.php" to the url. If that works the 403 error results in a missing directive in the httpd.conf regarding <Directory>. You have to set Options +Index in that tag.

4) run that script. It will ask a couple of infos that it needs for db access...

sneakyimp · 11-05-2011, 03:26 PM

2) I've begun working on an HTTPS directive in the file /etc/apache2/sites-available/default-ssl. The code below is what I have currently inside the _default_:443 VirtualHost section:

Code:

        Alias /pma /usr/share/phpmyadmin

        <Location /pma>
                AuthUserFile /var/www/.htpasswd
                AuthName "phpMyAdmin"
                AuthType Basic
                require valid-user
                Order deny,allow
                #    Deny from all
                Allow from 127.0.0.1
                Allow from ::1
                # Allow from .example.com
        </Location>

However, this is considerably simpler than the phpmyadmin.conf installed by apt-get:

Code:

$ cat /etc/apache2/conf.d/phpmyadmin.conf
# phpMyAdmin default Apache configuration

Alias /phpmyadmin /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
        Options FollowSymLinks
        DirectoryIndex index.php

        <IfModule mod_php5.c>
                AddType application/x-httpd-php .php

                php_flag magic_quotes_gpc Off
                php_flag track_vars On
                php_flag register_globals Off
                php_value include_path .
        </IfModule>

</Directory>

# Authorize for setup
<Directory /usr/share/phpmyadmin/setup>
    <IfModule mod_authn_file.c>
    AuthType Basic
    AuthName "phpMyAdmin Setup"
    AuthUserFile /etc/phpmyadmin/htpasswd.setup
    </IfModule>
    Require valid-user
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/libraries>
    Order Deny,Allow
    Deny from All
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
    Order Deny,Allow
    Deny from All
</Directory>

3) Adding index.php to the url doesn't help. http://www.mydomain.com/phpmyadmin/index.php still gives "forbidden 403".

4) When you say "run that script" do you mean visit it in a browser? If that's what you mean, then I have and as far as I can tell this allows one to change the phpmyadmin settings (blowfish secret, etc.) in a browser and requires that apache have write access to a particular folder. This runs contrary to my desire for security and I'd rather just change configuration settings via ssh if possible. Is it safe to remove this setup directory?

5) What about all the extra executables in /usr/sbin? Are they required by phpmyadmin?

sswuste · 11-05-2011, 04:41 PM

Quote:

Originally Posted by sneakyimp

3) Adding index.php to the url doesn't help. http://www.mydomain.com/phpmyadmin/index.php still gives "forbidden 403".

Does you webserver log file not tell you why it is showing a 403?

sneakyimp · 11-05-2011, 05:13 PM

Quote:

Originally Posted by sswuste

Does you webserver log file not tell you why it is showing a 403?

it does...

Code:

 client denied by server configuration: /usr/share/phpmyadmin
client denied by server configuration: /usr/share/phpmyadmin/index.php

But that doesn't exactly tell us much.

sswuste · 11-05-2011, 05:25 PM

I think you do not allow your webserver to browse that directory.

Look in your httpd.conf file and see if your directory is in something like this:

<Directory "/var/www">
Order allow,deny
Allow from all
</directory>

So in your case:

<Directory "/usr/share/phpmyadmin">
Order allow,deny
Allow from all
</directory>

sneakyimp · 11-09-2011, 12:42 PM

I looked in the file /etc/apache2/sites-enabled/000-default and saw this:

Code:

#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
    Options -Indexes FollowSymLinks
    AllowOverride None
    Order Deny,Allow
    Deny from all
</Directory>

This looks to be security-related and it's my assumption that this is what prevent access to the /usr/share/phpmyadmin directory.

So I've cleaned up my apache configuration.

I removed the phpmyadmin.conf:

Code:

rm /etc/apache2/conf.d/phpmyadmin.conf

I edited /etc/apache2/sites-available/default-ssl and added this bit to the end of the VirtualHost directive for _default_:443

Code:

        Alias /phpmyadmin /usr/share/phpmyadmin
        <Directory /usr/share/phpmyadmin>
                Options FollowSymLinks
                # overrides security restriction
                Order allow,deny
                allow from all
                DirectoryIndex index.php

                <IfModule mod_php5.c>
                        AddType application/x-httpd-php .php

                        php_flag magic_quotes_gpc Off
                        php_flag track_vars On
                        php_flag register_globals Off
                        php_value include_path .
                </IfModule>
                <IfModule mod_authn_file.c>
                        AuthType Basic
                        AuthName "phpMyAdmin"
                        AuthUserFile /path/to/my/.htpasswd
                </IfModule>
                Require valid-user
        </Directory>
        # Disallow web access to directories that don't need it
        <Directory /usr/share/phpmyadmin/libraries>
                Order Deny,Allow
                Deny from All
        </Directory>
        <Directory /usr/share/phpmyadmin/setup/lib>
                Order Deny,Allow
                Deny from All
        </Directory>

I now have access to phpmyadmin via HTTPS and it's protected by apache auth. It is not accessible via HTTP which is great.