[Phpmyadmin-devel] Two problems...

Ignacio Vazquez-Abrams ignacio at openservices.net
Thu Oct 11 09:16:10 CEST 2001 

On Thu, 11 Oct 2001, Loïc wrote:

> Hi All!
>
> First problem:
> --------------
>
> Let's say you have such a config :
>
> $cfgServers[1]['host']     = 'my_host';
> ...
> $cfgServers[1]['adv_auth'] = TRUE;
> $cfgServers[1]['stduser']  = 'user1';
> $cfgServers[1]['stdpass']  = 'passwd1';
> ...
> $cfgServers[1]['only_db']  = '';
> ...
>
>
> $cfgServers[2]['host']     = 'my_host';
> ...
> $cfgServers[2]['adv_auth'] = TRUE;
> $cfgServers[2]['stduser']  = 'user2';
> $cfgServers[2]['stdpass']  = 'passwd2';
> ...
> $cfgServers[2]['only_db']  = 'db2';
> ...
>
>
> Then you would be displayed the server choice with two options
> at the starting right frame.
>
> Let's say you are user2.
> Since both the $cfgServers arrays use the same host and you have
> MySQL rights to access it, you may choose to login to $cfgServers[1].
> And then you may easlly skip the 'only_db' setting.
> Moreover, if you login to $cfgServers[2] the left frame will display
> only the 'db2' database. Fine... but if you have right access to
> other dbs on this server you are able to run queries on these dbs.
>
> An easy fix for the first problem would be to ensure to use the valid
> $cfgServers thanks to $cfgServers[i]['stduser'] once the
> authentication is passed. But with Marc (and thanks to a suggestion
> from Piotr) we're working on a version that no long need the login
> and password to be stored in the config. file if advanced
> authentication is used. This would widely improve security.
>
> In a few words, I wonder if the 'only_db' setting is really usefull.
> And I'm also afraid how dangerous it could be: I discussed with ISP
> webmasters at the beginning of this week and some of them just use
> the 'only_db' setting without worying too much about MySQL grants!
> They presumed phpMyAdmin far or less handle the databases access
> rights since the 'only_db' setting is not well documented or not
> documented enough.

It has always been the sysadmin's job to maintain security. Any one who is not
doing that should be fired for gross incompetence (my opinion, of course).

> Second problem:
> --------------
>
> In the discussions I've had, I've also faced an other problem that
> seems widepsread enough to be reported: some of the webmasters have
> had a deeper (even if not deep enough) look at the MySQL privileges
> system and at the phpMyAdmin login procedure. They have then
> understand that if an user does not have the global "select"
> privilege, PMA tries to build the databases list from the "mysql.db"
> table. So they setup some globals privileges but not the "select" one
> for each user and just define "SELECT" one for relevant databases in
> "mysql.db".
> This way only databases with the "SELECT" grant are diplayed in the
> left frame of course, but each user is allowed to use the other ones.
> For example if the global "DROP" privilege is set to "Y", any user is
> able to drop... the "mysql" db even if it's not displayed in the left
> frame!
>
> We should really add some words about security in the documentation
> and emphasis the words "phpMyAdmin does not handle rights itself, it
> only uses MySQL ones"... and my english is not fluently enough to do
> it myself.

How about this:

"*** NOTE: phpMyAdmin does not apply any special security methods to the MySQL
database server. It is still the sysadmin's job to grant permissions on the
MySQL databases properly.

-- 
Ignacio Vazquez-Abrams  <ignacio at openservices.net>

More information about the Developers mailing list