Hi Tobias!
Well I'm afraid I have to tell you this bug has already been reported
and fixed a long time ago in the cvs tree ;)
Anyway thanks for the report.
BTW there are many problems with links in the phpWizard forum and
then most of the users post now at least twice their messages in it.
Not so fine...
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
Hi again!
>How about allowing an environment variable such as
>PMAMULTICONFIG that specifies what config_*.inc.php3 file
>should be used? That way multiple config files can be supported
>under the same codebase and the config file could be specified
>with SetEnv or in the Web Properties of whatnot.
Most of the time the "SetEnv" function is disabled on shared servers,
isn't it?
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
Hello,
there is a bug in the current release of phpMyAdmin (2.2.0-final) when
inserting a string containing "++". The "++" will get stripped out.
-Tobias
>I mean the SetEnv Apache directive, not the putenv() PHP function.
Ouch, sorry... as usually I misread the message :o
But I'm not sure many ISP allow their user to play with such a
directive... Moreover I'm not sure "all" other server soft. know this
directive.
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
Hi Geert!
To get the available databases for an user from MySQL you may use
the "SHOW GRANTS" statement. But:
1) it's available since 3.23 only (implementation before this release is
buggy)
2) this statement seems not to return the dbs avilable to the
"anonymous" user while each user may use these dbs.
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
Hi Loïc,
> Do you mean you use "only_db" to skip to stuffs to get the
> table list?
> You don't rely on this feature as a way to define access rights
> to your MySQL server, isn't it?
No, rights are for mysql, no doubts in my head ;-)
BUT,
1) in advanced auth, 'only_db' can be an array of db so if rights are correctly
set and 'only_db' too : I'm not sure I'm getting the problem ?!
2) much more important : in virtual hosting, you can't change mysql parameters :
it's not advanced auth but the 'only_db' feature is really important in real
life use of Pma in such environments.
Advanced auth is getting really a difficult problem (bookmark, only db ...) :
maybe the config.inc.php3 should be split in two with a
config_multi-user.inc.php3 much cleaner, maybe smarter and easy to administer.
Alain.
Hi Ignacio!
>It has always been the sysadmin's job to maintain security. Any one who
>is not doing that should be fired for gross incompetence (my opinion, of
course).
Right but I still don't know what is your opinion about the
'only_db' setting ;)
>How about this:
>"*** NOTE: phpMyAdmin does not apply any special security methods to the
>MySQL database server. It is still the sysadmin's job to grant permissions
on
>the MySQL databases properly.
Fine :) I'll add this to the doc tonight. Thanks for the help.
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
Hi All!
First problem:
--------------
Let's say you have such a config :
$cfgServers[1]['host'] = 'my_host';
...
$cfgServers[1]['adv_auth'] = TRUE;
$cfgServers[1]['stduser'] = 'user1';
$cfgServers[1]['stdpass'] = 'passwd1';
...
$cfgServers[1]['only_db'] = '';
...
$cfgServers[2]['host'] = 'my_host';
...
$cfgServers[2]['adv_auth'] = TRUE;
$cfgServers[2]['stduser'] = 'user2';
$cfgServers[2]['stdpass'] = 'passwd2';
...
$cfgServers[2]['only_db'] = 'db2';
...
Then you would be displayed the server choice with two options
at the starting right frame.
Let's say you are user2.
Since both the $cfgServers arrays use the same host and you have
MySQL rights to access it, you may choose to login to $cfgServers[1].
And then you may easlly skip the 'only_db' setting.
Moreover, if you login to $cfgServers[2] the left frame will display
only the 'db2' database. Fine... but if you have right access to
other dbs on this server you are able to run queries on these dbs.
An easy fix for the first problem would be to ensure to use the valid
$cfgServers thanks to $cfgServers[i]['stduser'] once the
authentication is passed. But with Marc (and thanks to a suggestion
from Piotr) we're working on a version that no long need the login
and password to be stored in the config. file if advanced
authentication is used. This would widely improve security.
In a few words, I wonder if the 'only_db' setting is really usefull.
And I'm also afraid how dangerous it could be: I discussed with ISP
webmasters at the beginning of this week and some of them just use
the 'only_db' setting without worying too much about MySQL grants!
They presumed phpMyAdmin far or less handle the databases access
rights since the 'only_db' setting is not well documented or not
documented enough.
Second problem:
--------------
In the discussions I've had, I've also faced an other problem that
seems widepsread enough to be reported: some of the webmasters have
had a deeper (even if not deep enough) look at the MySQL privileges
system and at the phpMyAdmin login procedure. They have then
understand that if an user does not have the global "select"
privilege, PMA tries to build the databases list from the "mysql.db"
table. So they setup some globals privileges but not the "select" one
for each user and just define "SELECT" one for relevant databases in
"mysql.db".
This way only databases with the "SELECT" grant are diplayed in the
left frame of course, but each user is allowed to use the other ones.
For example if the global "DROP" privilege is set to "Y", any user is
able to drop... the "mysql" db even if it's not displayed in the left
frame!
We should really add some words about security in the documentation
and emphasis the words "phpMyAdmin does not handle rights itself, it
only uses MySQL ones"... and my english is not fluently enough to do
it myself.
Regards,
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
Hi List!
I'm currently fixing the bugs with advanced authentication. I'm
afraid this requires some important changes but it's required :(
I've need your opinion on one point: who should be displayed
the "show variables", and "show processlist" at the main right
frame? Super-users only (ie those than can use the "mysql" db)?
Those who do not have "only_db" set (but may be associated
some restrictions with the mysql priv. system)? All users?
Thanks for your advices,
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
Sorry - the message below was caught in the moderation filter - I'll just
post it again :-)
Kind regards
Geert Lund
----- Original Message -----
From: "Geert Lund - SilverSoft Productions" <glund(a)silversoft.dk>
To: <phpmyadmin-devel(a)lists.sourceforge.net>
Sent: Thursday, October 04, 2001 8:58 PM
Subject: Fw: [Phpmyadmin-users] Disney & more
> As shown below - I've just mailed Jo Ann and asked to stop spam mailing...
>
> I also tried to call the phonenumber supplied on the webpage - but
> unfortunately it was a voicemail system, so there was nothing to do with
> that.
>
> But I hope that the spam stops - else we may have to consider moderated
> mailinglists (but hopefully we can stop spam-mail as it look like an
> individual person spaming - for the time being).
>
> Just to let you know :-))
>
> Spam is not tolerated!!
>
> --
> Kind regards
> Geert Lund
>
> ----- Original Message -----
> From: "news-service" <news-service(a)int.tele.dk>
> To: <joaharkins(a)aol.com>
> Sent: Thursday, October 04, 2001 8:50 PM
> Subject: RE: [Phpmyadmin-users] Disney & more
>
>
> >
> > Hello Jo Ann.
> >
> > I have to - once for all - ask you to STOP spam-mailing the phpMyAdmin
> Users
> > mailinglist (and for the matter - also the phpMyAdmin-devel list) - if I
> see
> > as much as one posting from you again in these lists - I'll fill a
formal
> > complaint against you to AOL.com and request that your account is shut
> down.
> >
> > And don't think that it's just a threat - I'm working in the abuse and
> > security department at the largest Internet Service Provider, ISP - in
> > Denmark and we have good connections to the abuse department at AOL.com
> and
> > you _will_ be shut down!
> >
> > So, please, do us all a favour and keep your spam (that's: unwanted bulk
> > e-mail) of our mailinglists...
> >
> > --
> > Kind regards
> > Geert Lund,
> > System Developer,
> > TDC Internet A/S - http://www.teledanmark.dk/
> >
> >
> >
> > ----- Original Message -----
> > From: <joaharkins(a)aol.com>
> > To: <phpmyadmin-users(a)lists.sourceforge.net>
> > Sent: Thursday, October 04, 2001 8:33 PM
> > Subject: [Phpmyadmin-users] Disney & more
> >
> >
> > > Celebrate Disneys 100th birthday, with Disney Collectables at
discounted
> > > prices!
> > > www.josdiscountstore.com
> > >
> >
>