On Thu, 11 Oct 2001, Loïc wrote:
Hi All!
First problem:
Let's say you have such a config :
$cfgServers[1]['host'] = 'my_host'; ... $cfgServers[1]['adv_auth'] = TRUE; $cfgServers[1]['stduser'] = 'user1'; $cfgServers[1]['stdpass'] = 'passwd1'; ... $cfgServers[1]['only_db'] = ''; ...
$cfgServers[2]['host'] = 'my_host'; ... $cfgServers[2]['adv_auth'] = TRUE; $cfgServers[2]['stduser'] = 'user2'; $cfgServers[2]['stdpass'] = 'passwd2'; ... $cfgServers[2]['only_db'] = 'db2'; ...
Then you would be displayed the server choice with two options at the starting right frame.
Let's say you are user2. Since both the $cfgServers arrays use the same host and you have MySQL rights to access it, you may choose to login to $cfgServers[1]. And then you may easlly skip the 'only_db' setting. Moreover, if you login to $cfgServers[2] the left frame will display only the 'db2' database. Fine... but if you have right access to other dbs on this server you are able to run queries on these dbs.
An easy fix for the first problem would be to ensure to use the valid $cfgServers thanks to $cfgServers[i]['stduser'] once the authentication is passed. But with Marc (and thanks to a suggestion from Piotr) we're working on a version that no long need the login and password to be stored in the config. file if advanced authentication is used. This would widely improve security.
In a few words, I wonder if the 'only_db' setting is really usefull. And I'm also afraid how dangerous it could be: I discussed with ISP webmasters at the beginning of this week and some of them just use the 'only_db' setting without worying too much about MySQL grants! They presumed phpMyAdmin far or less handle the databases access rights since the 'only_db' setting is not well documented or not documented enough.
It has always been the sysadmin's job to maintain security. Any one who is not doing that should be fired for gross incompetence (my opinion, of course).
Second problem:
In the discussions I've had, I've also faced an other problem that seems widepsread enough to be reported: some of the webmasters have had a deeper (even if not deep enough) look at the MySQL privileges system and at the phpMyAdmin login procedure. They have then understand that if an user does not have the global "select" privilege, PMA tries to build the databases list from the "mysql.db" table. So they setup some globals privileges but not the "select" one for each user and just define "SELECT" one for relevant databases in "mysql.db". This way only databases with the "SELECT" grant are diplayed in the left frame of course, but each user is allowed to use the other ones. For example if the global "DROP" privilege is set to "Y", any user is able to drop... the "mysql" db even if it's not displayed in the left frame!
We should really add some words about security in the documentation and emphasis the words "phpMyAdmin does not handle rights itself, it only uses MySQL ones"... and my english is not fluently enough to do it myself.
How about this:
"*** NOTE: phpMyAdmin does not apply any special security methods to the MySQL database server. It is still the sysadmin's job to grant permissions on the MySQL databases properly.