[Phpmyadmin-devel] Two problems...

[Geert Lund - SilverSoft Productions]

Hello Alain.

> 2) much more important : in virtual hosting, you can't change mysql
parameters :
> it's not advanced auth but the 'only_db' feature is really important in
real
> life use of Pma in such environments.

But that's the point exactly - it's not in the scope of pMA to handle MySQL
security issues - if MySQL permissions aren't set correctly - then it's the
administrator that's lazy - and it should not depend on pMA to set up
"intended" permissions... pMA should not be a security shell layer above the
MySQL Server...

So I defenitly don't hope that ISPs in VHost environments counts on pMA to
set permissions solely based on the only_db feature of phpMyAdmin. That's
really very wrong ... very very wrong...

So the question is not wheter pMA should be a security layer above the MySQL
Server or not (because we - the developers - agree - at least until now -
that we won't make security tighter in pMA than what's allowed by the MySQL
permissions) - but a question about - does the only_db make
any sence or not...

To all:

And I agree - when pMA is runned in a multihosting environment with perhaps
100's or 1000's of databases it's really important only to show allowed
databases... So in my opinion - the use of only_db would be far more correct
if it's a TRUE/FALSE variable - that tells pMA to check for permissions and
only show allowed databases of the authenticated user. (and actually I think
that MySQL has a feature that enables the same thing - that MySQL only shows
allowed databases and tables to the client based on the authenticated user -
I just can't find it in the documentation at this moment - but I'll keep
searching :o)) ).

--
Kind regards
Geert Lund