Disable phpmyadmin for a specific domain / user

S

S2S-Robert

Verified User
Joined
Jun 24, 2003
Messages
397
Location
The Netherlands
I have a user who is afraid of other people logging in on his database. Now what he wants is that only he from his specified IP is able to login, so that means disabling phpmyadmin.

How would I disable phpmyadmin for this user account?
 
Hello,

I'm not sure which would take precendence, but to disable phpMyAdmin for his virtualhost, you could create new Aliases with the custom httpd.conf feature (Admin Panel -> Admin Settings -> customize httpd.conf) and add:
Code: 
Alias /phpmyadmin /nowhere
Alias /phpMyAdmin /nowhere
This should disable phpMyAdmin on his domain.. but it would still be accessible from other domains/ips on the server.

The problem with only allowing his IP is that sure you can add his IP into the access hosts, but if you remove "localhost", his site won't be able to login to mysql. Phpmyadmin uses localhost, so you'd have to remove localhost (manually) to prevent it's use, but again, that would prevent his site from accessing the database.

John
 
It seems adding the aliases do the trick of disabling it for that domain. Now that's a starter :)

I know that removing localhost from mysql isn't possible (at least not without removing the functionality), but perhaps there is a banlist of some sort in the phpmyadmin program that it checks to see which user is trying to login and whether or not he actually has the right to.

That would prevent a user from logging in using phpmyadmin from whichever site he comes from.
 
Ok, I did some searching on the phpmyadmin site and I came up with something that might be worth having a look at.

4.6 @

http://www.phpmyadmin.net/documentation/#faqmultiuser

[4.6] How can I use the Host-based authentication additions?
If you have existing rules from an old .htaccess file, you can take them and add a username between the 'deny'/'allow' and 'from' strings. Using the username wildcard of '%' would be a major benefit here if your installation is suited to using it. Then you can just add those updated lines into the $cfg['Servers'][$i]['AllowDeny']['rules'] array.

If you want a pre-made sample, you can try this fragment. It stops the 'root' user from logging in from any networks other than the private network IP blocks.
//block root from logging in except from the private networks
$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array(
'deny root from all',
'allow root from localhost',
'allow root from 10.0.0.0/8',
'allow root from 192.168.0.0/16',
'allow root from 172.16.0.0/12',
);
Click to expand...
 
A simple way would to be add the following at the top of phpmyadmin's index.php

PHP: 
<?php
if($_SERVER["REMOTE_ADDR"]=="XXX.XXX.XXX.XXX){
echo "You have been dissalowed access to this area";
}
else{
?>

PHPMYADMIN CODE

<?php
}
?>

Simply replace XXX.XXX.XXX.XXX eith the users IP address.

Edit: soloiution for blocking access to a specific user can be found below.

Chris
 
Yes this could very well work, but it's actually the other way around :D

I want to disallow all access to a specific user. Most users don't have any problems with logging in via phpmyadmin, but this one is afraid that someone might access his database through phpmyadmin.

If I could disallow phpmyadmin for a specific user that would certainly ease his mind. That's why the idea picked up from the phpmyadmin FAQ would work I guess, because that one (dis)allows specific users from specific IP addresses.

If this would work then there could be an additional checkbox in the MySQL feature in the DA control panel "allow phpmyadmin xs".
 
S2S-Robert said:
If this would work then there could be an additional checkbox in the MySQL feature in the DA control panel "allow phpmyadmin xs".
Click to expand...

Edit: ignore this post :D
 
No, I don't think you're getting the point :D

The user is fine, having local mysql access is fine as well (otherwise the site wouldn't function). The only problem he has is that he is able to login via phpmyadmin.

The only thing I want to disable the user from doing is logging in using phpmyadmin. I don't want to change anything else, just disable phpmyadmin for a specific mysql user :)
 
ok, looked into this in further detail and have noticed MyAdmin does not use its own passwords with advanced authentication. To gain access you simply require a user and pass with phpmyadmin, if you have that you have MyAdmin access.

plain old way: username and password are stored in config.inc.php3.


Advanced authentication, as introduced in 1.3.0 allows you to log
in as any valid MySQL user via HTTP-Auth. Please note that this authentication mode is only supported with PHP running as an Apache module, and not with cgi.

Using advanced authentication is recommended:


- when phpMyAdmin is running in a multi-user environment where people have shell-access that you don't want to know the username/password for MySQL.


- when you want to give users access to their own database and don't want them to play around with others.
Click to expand...

Without looking into the phpMyAdmin code and checking how the username variables are stored you would not be able to do this.

Chris
 
Code: 
$cfg['Servers'][$i]['auth_type']     = 'http';
When looking into the code we see it's already in advanced authentication.

I strongly believe that using the array I pasted before would be a possibility but since I'm not a good php programmer I don't know how to implement this for actual DA MySQL users.

I guess it would be something like:

$cfg['Servers'][$i]['AllowDeny']['rules'] = array(
'deny < MySQL User> from all',
'allow <MySQL User> from <specified IP>',
);
Click to expand...
 
Last edited:
Actually looking at your post again it appears your correct there! didnt notice the user, only the IP addresses :p

try adding that to your config and see if it works ;)

Chris
 
There seem to be 3 different positions in where you can place this. The first one is the http authentication (the default one), the second one is a config file authentication and the third one is exactly the same as the 2nd one. So there seem to be 3 different 'server' configurations.

I put the deny for a specific mysql user in all three of them but I was able to login using the http authentication. When I tried to logout it actually denied me logging out :rolleyes: So I guess I'm on the right track...

Why are there 3 different server configurations and why do 2 of them have config file authentication? Wouldn't only http be enough?
 
Last edited:
what your looking for is probably:

/var/www/html/phpmyadmin*VERSION*/config.inc.php

after one of the sections (eg mysql settings) add the section you mentioned previously so its something like

Code: 
   'OTHER SETTINGs'
);
[B]
//block user from logging into phpMyAdmin
$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array(
'deny *USER* from all',
); 
[/B]

// another section....

is that what you have done? you dont need any extra php for that :-/

Chris
 
Ok, figured out what the problem was, I hadn't set a allow / deny order in $cfg['Servers'][$i]['AllowDeny']['order']

Code: 
$cfg['Servers'][$i]['AllowDeny']['order']  = 'deny,allow';
$cfg['Servers'][$i]['AllowDeny']['rules']  = array(
    'deny [color=red]mysql user[/color] from all',
    'allow [color=red]mysql user[/color] from [color=red]IP address[/color]',
);
for more information see :
http://www.phpmyadmin.net/documentation/#config

My only question left now is if it is possible for DA to include this in the default control panel and create the checkbox which makes it possible to enable / disable phpmyadmin for a specific mysql user from the controlpanel.

It would require an additional php file that could be included in the config.inc.php file where the rules could be set.
 
Last edited:
Well, this would be like the PHP On/Off thing.

Only one people need it, and we all suffered with skins disabling it by default.

Can you modify them yourself?

Not trying to be rude here, but this will cause more problems to us.
 
If you can add the a field in your account setup form, the feature should be fairly easily to implemtn using the scripts that you can run upon domain creation and deletion.

phpMyAdmin is not something that you would really need to set on / off and in the majority of cases it will be fine on. As we have discovered it is *very* easy to implent this kind of idea and would probably be just as good as a how-to.

Chris
 
Feel free to use my example of where to place the snippet of code from above if you wish to put the how-to guide up :)

Chris

-

ProWebUK said:
what your looking for is probably:

/var/www/html/phpmyadmin*VERSION*/config.inc.php

after one of the sections (eg mysql settings) add the section you mentioned previously so its something like

Code: 
   'OTHER SETTINGs'
);
[B]
//block user from logging into phpMyAdmin
$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array(
'deny *USER* from all',
); 
[/B]

// another section....

is that what you have done? you dont need any extra php for that :-/

Chris
Click to expand...
 
You must log in or register to reply here.
Back
Top