LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 12-16-2004, 02:36 AM   #1
mr_dizzle
Newbie
 
Registered: Oct 2003
Posts: 27

Rep: Reputation: 15
phpMyAdmin Security Issue


i'm not sure if this is the right area to post.

i am not using any panel to create sites for customers (done by hand).

in order to give them phpMyadmin, i simply copy the phpadmin directory from an existing site and then edit config.inc.php and change the DB Name, DB username and DB password.

in order to protect http://theirdomain.com/phpadmin, i drop an .htaccess file in that directory to protect from the public.

there are 2 issues i am having.

1) once they get in to phpMyAdmin, if they click on the "databases" link from the main page, it shows them all of the DB's on the box and are able to to whatever they want to them.

2) this has a less of a chance of happening but, if they edit the config.inc.php file and leave the DB Name blank then they can see all the DB's on the box in the left panel as soon as they login.


how can i lock users to view only the DB's that they have rights to?

i am using webmin to create the DB's and use webmin to set the permissions.
 
Old 12-17-2004, 01:34 PM   #2
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 66
The best way to fix this would be to remove the .htaccess file and the login credentials from the config file and set phpMyAdmin up as a multi user installation using http authentication - see the phpMyAdmin docs for info:
http://www.phpmyadmin.net/documentation/#controluser
 
Old 12-28-2004, 01:48 AM   #3
mr_dizzle
Newbie
 
Registered: Oct 2003
Posts: 27

Original Poster
Rep: Reputation: 15
this is exactly what i ended up doing. took the database name and user/pass out of config.inc.php and put just one copy of phpMyAdmin on the server. i set config.inc.php to use http auth. i then dropped an .htaccess file in the phpMyAdmin directory and set up the .htpasswd file to have the customers DB username/password. so now when they enter their DB user/pass in to .htaccess, it lets them in but only shows them the DB's that are permissible with that user/pass.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
security issue? network casey24601 Linux - Security 2 11-04-2004 06:56 PM
webmin issue, poss security issue bejiita Slackware 3 11-03-2004 07:07 AM
xhost / Security issue ganninu Linux - General 1 12-08-2003 01:49 PM
Security issue in Slackware 9.1 odin123 Slackware 6 11-03-2003 09:44 AM
Security issue.. marcoc Linux - Newbie 8 05-01-2002 07:14 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 12:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration