[Phpmyadmin-devel] restricting or removing /setup

Marc Delisle marc at infomarc.info
Sat Jul 16 14:17:25 CEST 2011


Le 2011-07-16 05:30, Michal Čihař a écrit :
> Hi
>
> Dne Fri, 15 Jul 2011 10:50:35 -0400
> Isaac Bennetch<bennetch at gmail.com>  napsal(a):
>
>> On Jul 15, 2011, at 9:35 AM, Marc Delisle<marc at infomarc.info>  wrote:
>>
>>> Hi,
>>>
>>> we got a suggestion from a user about either restricting access to
>>> /setup or telling the installer to remove this directory after initial
>>> setup.
>>>
>>> Let's discuss this...
>>
>> If I remember correctly, the reason this wasn't done in the first
>> place is that there's no vulnerability to leaving it exposed. The user
>> moves the generated config.inc.php, and a malicious user can't write a
>> new one that would be used. Additionally, users who wish to
>> reconfigure later might want to run the setup; if it's removed they'll
>> have to (presumably) reinstall the entire program.
>>
>> If there were a good reason to remove it, then I'd certainly support
>> the idea, but I don't see a compelling reason at the moment.
>
> I've seen this in various web applications - they force you to remove
> setup once installation is done.

Yes but in these applications, their installation program does things like
- letting you choose an admin password
- entering database credentials
- creating initial database
- creating the effective configuration file

This is why they ask (or sometimes enforce) to remove the setup directory.

I don't see the same need for phpMyAdmin because our setup code never 
writes to the effective configuration file, only to a staging one.


>
> I don't think we should make it that hard requirement, however
> suggesting to remove it after setup won't hurt.
>
> Also option would be to limit access to it for example only to
> authenticated MySQL users, what would limit the audience quite a lot.


-- 
Marc Delisle
http://infomarc.info




More information about the Developers mailing list