Virtual Web Servers, MySQL and Users?
Hi, we would like to offer MySQL database access on our web server, making the LAMP setup complete. That machine is running about a hundred virtual web servers for about 70 clients, and the MySQL setup on the box is also being used for user authentication, so the database definetely contains valueable data that needs to be protected from the users. But I suspect that once we give the customers MySQL, they will want to have PHPMyAdmin as well. AFAIK, the PHPMyAdmin version from potato gives full access to the databases, allowing users to see data they aren't supposed to see. Am I mistaken here? Is there a later version of PHPMyAdmin that allows user rights to be restricted? How do other ISPs solve this issue that surely comes up everywhere? Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Virtual Web Servers, MySQL and Users?
Hello Marc, But I suspect that once we give the customers MySQL, they will want to have PHPMyAdmin as well. AFAIK, the PHPMyAdmin version from potato gives full access to the databases, allowing users to see data they aren't supposed to see. Am I mistaken here? You can (and should) only give the users access to their own database ( in the db table of mysql base). They will be able to see the existance of other databases, but will not be able to see the tables or their entries. There is however also a patch (check out the forum on phpmyadmin's webpage) where you can restrict the users to only see their own database, but it's not in the official distribution. --- Stojan Rancic// Knowledge is power ! K2.Net // Use it, don't abuse it ! http://www.k2.net // -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Virtual Web Servers, MySQL and Users?
I'm not familiar with the patch that Stojan mentioned, I'm not dealing with nearly as many users as you are and I'm just using basic authentication, but my way of handling this was to hack into the config.inc.php file in the phpMyAdmin directory and set it up so that the $HTTP_SERVER_VARS[PHP_AUTH_USER] $HTTP_SERVER_VARS[PHP_AUTH_PW] are used to set the $cfgServers[3]['user'] and $cfgServers[3]['password']. I can't vouch for the (in)security of this method, but it worked for me. Hope that helps. eirik Stojan Rancic wrote: Hello Marc, But I suspect that once we give the customers MySQL, they will want to have PHPMyAdmin as well. AFAIK, the PHPMyAdmin version from potato gives full access to the databases, allowing users to see data they aren't supposed to see. Am I mistaken here? You can (and should) only give the users access to their own database ( in the db table of mysql base). They will be able to see the existance of other databases, but will not be able to see the tables or their entries. There is however also a patch (check out the forum on phpmyadmin's webpage) where you can restrict the users to only see their own database, but it's not in the official distribution. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Virtual Web Servers, MySQL and Users?
Stojan Rancic wrote: Hello Marc, AFAIK, the PHPMyAdmin version from potato gives full access to the databases, allowing users to see data they aren't supposed to see. Am I mistaken here? You can (and should) only give the users access to their own database ( in the db table of mysql base). They will be able to see the existance of other databases Not neccessarily. The solution has nothing to do with PHPMyAdmin. MySQL: --safe-show-database Don't show databases for which the user doesn't have any privileges. .SiCk of IT. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Virtual Web Servers, MySQL and Users?
Hi, we would like to offer MySQL database access on our web server, making the LAMP setup complete. That machine is running about a hundred virtual web servers for about 70 clients, and the MySQL setup on the box is also being used for user authentication, so the database definetely contains valueable data that needs to be protected from the users. But I suspect that once we give the customers MySQL, they will want to have PHPMyAdmin as well. AFAIK, the PHPMyAdmin version from potato gives full access to the databases, allowing users to see data they aren't supposed to see. Am I mistaken here? Is there a later version of PHPMyAdmin that allows user rights to be restricted? How do other ISPs solve this issue that surely comes up everywhere? Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29
Re: Virtual Web Servers, MySQL and Users?
Hello Marc, But I suspect that once we give the customers MySQL, they will want to have PHPMyAdmin as well. AFAIK, the PHPMyAdmin version from potato gives full access to the databases, allowing users to see data they aren't supposed to see. Am I mistaken here? You can (and should) only give the users access to their own database ( in the db table of mysql base). They will be able to see the existance of other databases, but will not be able to see the tables or their entries. There is however also a patch (check out the forum on phpmyadmin's webpage) where you can restrict the users to only see their own database, but it's not in the official distribution. --- Stojan Rancic// Knowledge is power ! K2.Net // Use it, don't abuse it ! http://www.k2.net //
Re: Virtual Web Servers, MySQL and Users?
I'm not familiar with the patch that Stojan mentioned, I'm not dealing with nearly as many users as you are and I'm just using basic authentication, but my way of handling this was to hack into the config.inc.php file in the phpMyAdmin directory and set it up so that the $HTTP_SERVER_VARS[PHP_AUTH_USER] $HTTP_SERVER_VARS[PHP_AUTH_PW] are used to set the $cfgServers[3]['user'] and $cfgServers[3]['password']. I can't vouch for the (in)security of this method, but it worked for me. Hope that helps. eirik Stojan Rancic wrote: Hello Marc, But I suspect that once we give the customers MySQL, they will want to have PHPMyAdmin as well. AFAIK, the PHPMyAdmin version from potato gives full access to the databases, allowing users to see data they aren't supposed to see. Am I mistaken here? You can (and should) only give the users access to their own database ( in the db table of mysql base). They will be able to see the existance of other databases, but will not be able to see the tables or their entries. There is however also a patch (check out the forum on phpmyadmin's webpage) where you can restrict the users to only see their own database, but it's not in the official distribution.
Re: Virtual Web Servers, MySQL and Users?
Stojan Rancic wrote: Hello Marc, AFAIK, the PHPMyAdmin version from potato gives full access to the databases, allowing users to see data they aren't supposed to see. Am I mistaken here? You can (and should) only give the users access to their own database ( in the db table of mysql base). They will be able to see the existance of other databases Not neccessarily. The solution has nothing to do with PHPMyAdmin. MySQL: --safe-show-database Don't show databases for which the user doesn't have any privileges. .SiCk of IT.