RE: [Phpmyadmin-devel] about arbitrary auth_type
Hi Marc, Michal & list, Marc Delisle wrote:
Michal Cihar a écrit:
There should still be posibility to disable this, to keep iterface as simple as possible (eg. with just one server).
Michal
Michal,
well, if you like. But I think that having this: --------------------
Server choice: [(drop-down)] or [enter server name] --------------------
would not clutter the interface too much. Plus it opens the eyes of users about this feature if we always show it, or if we show it by default.
Currently if we have just one server, we even don't show it on the login page, and I think that showing it would be an improvement.
Also, the auth_type 'arbitrary' somehow hides the fact that the mode is really cookie.
It has to be possible to disable the arbitary server mode. Not for cosmetic reasons: for security reasons! Let's imagin a small company network with two servers: server 1 and server 2, both running the MySQL server software. Server 1 is connected to the internet permanently. The MySQL database on server 1 sometimes has to be accessed from outside the network. This is why the sysadmin installed phpMyAdmin on server 1. The MySQL server on server 2 contains serious data and may not be accessible from the internet. Nevertheless, this database powers some php scripts running on server 1, so server 1 has to be able to connect to server 2's MySQL database. In this case, phpMyAdmin would be a security hole, if the arbitrary server mode wouldn't be configurable. In addition to this, an internet user would not only be able to access server 1 and 2, he would also be able to use the owner's bandwidth to access thousands of different servers all over the world. Regards, Alexader
Hi all Original message (Rabus, 11.09.2003 11:47):
It has to be possible to disable the arbitary server mode. Not for cosmetic reasons: for security reasons!
Let's imagin a small company network with two servers: server 1 and server 2, both running the MySQL server software. Server 1 is connected to the internet permanently. The MySQL database on server 1 sometimes has to be accessed from outside the network. This is why the sysadmin installed phpMyAdmin on server 1.
The MySQL server on server 2 contains serious data and may not be accessible from the internet. Nevertheless, this database powers some php scripts running on server 1, so server 1 has to be able to connect to server 2's MySQL database.
In this case, phpMyAdmin would be a security hole, if the arbitrary server mode wouldn't be configurable.
In addition to this, an internet user would not only be able to access server 1 and 2, he would also be able to use the owner's bandwidth to access thousands of different servers all over the world.
I completely agree, I thought there could be some security problems... The question now is how to make it: - keep arbitrary auth is as separate auth method - merge it with cookie and add option for enabling it Comments? -- Regards Michal Cihar http://cihar.com
Michal Cihar a écrit:
Hi all
Original message (Rabus, 11.09.2003 11:47):
It has to be possible to disable the arbitary server mode. Not for cosmetic reasons: for security reasons!
Let's imagin a small company network with two servers: server 1 and server 2, both running the MySQL server software. Server 1 is connected to the internet permanently. The MySQL database on server 1 sometimes has to be accessed from outside the network. This is why the sysadmin installed phpMyAdmin on server 1.
The MySQL server on server 2 contains serious data and may not be accessible from the internet. Nevertheless, this database powers some php scripts running on server 1, so server 1 has to be able to connect to server 2's MySQL database.
In this case, phpMyAdmin would be a security hole, if the arbitrary server mode wouldn't be configurable.
In addition to this, an internet user would not only be able to access server 1 and 2, he would also be able to use the owner's bandwidth to access thousands of different servers all over the world.
I completely agree, I thought there could be some security problems... The question now is how to make it:
- keep arbitrary auth is as separate auth method - merge it with cookie and add option for enabling it
Comments?
I suggest to merge it with cookies, add a config variable to enable it but disable it by default, adding appropriate warning about the security implications. About the thousands open servers that Rabus mentions, we could add a warning in our doc, referring users to http://www.mysql.com/doc/en/General_security.html and the fact that port 3306 should not be accessible from untrusted hosts. Sadly we cannot detect this fact to warn them. Marc
Hi Michal and Marc!
I suggest to merge it with cookies, add a config variable to enable it but disable it by default, adding appropriate warning about the security implications.
I agree with Marc - when first trying the new method out, I was quite confused on how to use it, so maybe less-experienced users will get a headache from it. Maintainability with this auth-mode should be easier as well, I don't see any real drawbacks when merging it with cookies with an ability to turn it off. Regards, Garvin. -- Garvin Hicking | Mediengestalter www.supergarv.de | #ICQ 21392242
Original message (Marc Delisle, 11.09.2003 15:17):
I suggest to merge it with cookies, add a config variable to enable it but disable it by default, adding appropriate warning about the security implications.
Done, feel free to update warning, if it is not enough exact. -- Regards Michal Cihar http://cihar.com
Michal Cihar a écrit:
Original message (Marc Delisle, 11.09.2003 15:17):
I suggest to merge it with cookies, add a config variable to enable it but disable it by default, adding appropriate warning about the security implications.
Done, feel free to update warning, if it is not enough exact.
Thanks Michal. I have a few points: 1. where is the warning? 2. If I define 2 hosts, and arbitrary server is TRUE, when I choose a host in "Server choice", I cannot login if there is a different host name written in "Server". It works if the "Server" field is blank. So this makes switching servers difficult, because after a logout, the last server used is written in "Server". Marc
Original message (Marc Delisle, 17.09.2003 15:12):
Michal Cihar a écrit:
Original message (Marc Delisle, 11.09.2003 15:17):
I suggest to merge it with cookies, add a config variable to enable it but disable it by default, adding appropriate warning about the security implications.
Done, feel free to update warning, if it is not enough exact.
Thanks Michal. I have a few points:
1. where is the warning?
In documentation :-)
2. If I define 2 hosts, and arbitrary server is TRUE, when I choose a host in "Server choice", I cannot login if there is a different host name written in "Server". It works if the "Server" field is blank.
So this makes switching servers difficult, because after a logout, the last server used is written in "Server".
You're right, I'll fix this. -- Regards Michal Cihar http://cihar.com
participants (4)
-
Garvin Hicking -
Marc Delisle -
Michal Cihar -
Rabus