[Phpmyadmin-devel] restricting or removing /setup

Marc Delisle marc at infomarc.info
Sat Jul 16 14:17:25 CEST 2011

Le 2011-07-16 05:30, Michal Čihař a écrit :
> Hi
> Dne Fri, 15 Jul 2011 10:50:35 -0400
> Isaac Bennetch<bennetch at gmail.com>  napsal(a):
>> On Jul 15, 2011, at 9:35 AM, Marc Delisle<marc at infomarc.info>  wrote:
>>> Hi,
>>> we got a suggestion from a user about either restricting access to
>>> /setup or telling the installer to remove this directory after initial
>>> setup.
>>> Let's discuss this...
>> If I remember correctly, the reason this wasn't done in the first
>> place is that there's no vulnerability to leaving it exposed. The user
>> moves the generated config.inc.php, and a malicious user can't write a
>> new one that would be used. Additionally, users who wish to
>> reconfigure later might want to run the setup; if it's removed they'll
>> have to (presumably) reinstall the entire program.
>> If there were a good reason to remove it, then I'd certainly support
>> the idea, but I don't see a compelling reason at the moment.
> I've seen this in various web applications - they force you to remove
> setup once installation is done.

Yes but in these applications, their installation program does things like
- letting you choose an admin password
- entering database credentials
- creating initial database
- creating the effective configuration file

This is why they ask (or sometimes enforce) to remove the setup directory.

I don't see the same need for phpMyAdmin because our setup code never 
writes to the effective configuration file, only to a staging one.

> I don't think we should make it that hard requirement, however
> suggesting to remove it after setup won't hurt.
> Also option would be to limit access to it for example only to
> authenticated MySQL users, what would limit the audience quite a lot.

Marc Delisle

More information about the Developers mailing list