Tristan
Verified User
As a security measure remove the public facing PHPMyAdmin install on DirectAdmin hosts at http://hostname.nl/phpMyAdmin/ and move it somewhere inside the admin panel itself behind a DirectAdmin user login.
Restrict PHPMyAdmin access
- Thread starter Tristan
- Start date
-1, I would not like this. Also it would not be more secure. On DirectAdmin phpMyAdmin is password protected with http auth, and because of that it is not possible to exploit any vulnerability from the outside. phpMyAdmin should continue to be stand alone install.
Also many shared hosting customers from time to time need to give access to phpMyAdmin to third party developers, our they want to give access to phpMyAdmin to their own customers, but they do not want to give access to DirectAdmin, then it is critical that phpMyAdmin is available outside of DirectAdmin.
What would be the next, put Roundcube webmail inside DirectAdmin so that customer of customers is not able to login without DirectAdmin access? Please do not go this route.
Also many shared hosting customers from time to time need to give access to phpMyAdmin to third party developers, our they want to give access to phpMyAdmin to their own customers, but they do not want to give access to DirectAdmin, then it is critical that phpMyAdmin is available outside of DirectAdmin.
What would be the next, put Roundcube webmail inside DirectAdmin so that customer of customers is not able to login without DirectAdmin access? Please do not go this route.
Tristan
Verified User
This is not a good comparison IMHO, imap/pop is already publicly available on a network level as well, MySQL normally is not.
myH2Oservers
Verified User
-1 not handy for anyone.
Tristan
Verified User
Handy and secure don't always go hand in hand unfortunately, there also is a reason others (like Cpanel) do it the way I propose.
myH2Oservers
Verified User
Didn't have the time to fully motivate my answer but I think it is necessary now: if someone only needs access to the database you can share that specific account with hem/her. In your proposal that person also needs DirectAdmin access which means that person can not only access the database but also has access to all files and emails in the account (through the filemanager). Therefore I think the current solution is the best. He/She can access the database and if needed a separate FTP account can be created with a specific folder as the homedir. This way the person cannot access other files and emails.
Tristan
Verified User
That just depends on the implementation the DirectAdmin guys choose. Fully agree giving full domain access to third parties might not always be handy if you only want to give database access.
This topic has been brought up before. And while I agree with the OP - this is just too heavy of a debate for me to get into.
But... I do want to add some perspective here. For those arguing that some people give their developers access to phpMyAdmin without giving them DirectAdmin access... what is preventing you from installing phpMyAdmin on your account itself and providing access to the necessary database that way? No where does it state that phpMyAdmin has to be installed at the system-level. It can very easily be installed in a directory on an account's DocumentRoot. It does not require root level access to install.
But... I do want to add some perspective here. For those arguing that some people give their developers access to phpMyAdmin without giving them DirectAdmin access... what is preventing you from installing phpMyAdmin on your account itself and providing access to the necessary database that way? No where does it state that phpMyAdmin has to be installed at the system-level. It can very easily be installed in a directory on an account's DocumentRoot. It does not require root level access to install.
Please take into consideration of shared hosting providers. We are a shared hosting provider, and we do not allow our customers to install phpMyAdmin, because regular hosting customers can't be trusted to keep phpMyAdmin up to date whenever there is a new release with security fixes. Also they do not need to install it, because it is already globally available on our servers outside of DirectAdmin, like it should be.
Last edited:
Well... OK... then what's to prevent you from installing a system-wide phpMyAdmin in /var/www/html and directing your clients to it?
Why does the control panel eco-system have to bow to one individual's need?
Now... to your point... this is the way DirectAdmin has always done phpMyAdmin access - I don't agree with it and I think it was short sighted... but it's the way it was done. So ultimately it is up to me to adapt to the way DirectAdmin is doing this rather than demand that DirectAdmin change. But I don't believe that there is anything wrong in offering an opinion as to why I think it was a short sighted decision. Improvements to a system are rarely garnered by listening to a chorus of yes men. Just because I disagree with how this was implemented doesn't mean I have any bad blood towards the DirectAdmin staff or developers. It's just simply making an observation.
Why does the control panel eco-system have to bow to one individual's need?
Now... to your point... this is the way DirectAdmin has always done phpMyAdmin access - I don't agree with it and I think it was short sighted... but it's the way it was done. So ultimately it is up to me to adapt to the way DirectAdmin is doing this rather than demand that DirectAdmin change. But I don't believe that there is anything wrong in offering an opinion as to why I think it was a short sighted decision. Improvements to a system are rarely garnered by listening to a chorus of yes men. Just because I disagree with how this was implemented doesn't mean I have any bad blood towards the DirectAdmin staff or developers. It's just simply making an observation.
Tristan
Verified User
Completely agree with @sparek here.
Also, as many DirectAdmin settings, it wouldn't have to mean you can't enable public facing PHPMyAdmin, this could be just a setting like any other. Plesk also has a setting for this for example.
Also, as many DirectAdmin settings, it wouldn't have to mean you can't enable public facing PHPMyAdmin, this could be just a setting like any other. Plesk also has a setting for this for example.
DewlanceVPS
Verified User
- Joined
- Oct 3, 2016
- Messages
- 108
+1 for this feature and Server Admin can choose this option to allow Direct access to phpmyadmin or not.
Few year ago, I heard story about hacking attempt. Hacker knows mysql login details but failed to access mysql because of phpmyadmin was not directly accessible and remote access to mysql was disabled.
Few year ago, I heard story about hacking attempt. Hacker knows mysql login details but failed to access mysql because of phpmyadmin was not directly accessible and remote access to mysql was disabled.
Tristan
Verified User
John told me they're looking into a way to implement this, so fingers crossed he comes up with something elegant that keeps the option for some to keep it open to everyone.
phpmyadmin_public=yes/no has been added to CB 2.0 rev. 2221. It defaults to "yes". If you'd like phpMyAdmin to be available only for SSO from DirectAdmin, just do:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build set phpmyadmin_public no
./build phpmyadminTristan
Verified User
That was quick, thanks a lot, works as advertised!
DewlanceVPS
Verified User
- Joined
- Oct 3, 2016
- Messages
- 108
I enabled this but now its showing "Access to phpMyAdmin is only allowed from control panel." even if logged in to admin account or user account. (DA Admin Panel >> phpMyAdmin)
DA Admin Panel >> phpMyAdmin is not used for Single-Sign-On. We may either remove it at all when this feature is enabled, or.. auto-login to main user account in phpMyAdmin.
@DewlanceVPS
https://www.directadmin.com/features.php?id=2473
--
Feature works great, thanks. Suggestions;
- When this feature is enabled (SSO + One click login from DA) remove every normal link to phpmyadmin from DA (under Extra Features, link left to Create new database etc) because that's not working anymore.
- When phpmyadmin=no in options.conf, also remove every link to phpmyadmin from the DA interface
- Maybe change the text "Login" to "Login to phpMyAdmin" to make it more clearer for end users
Also:
The Login button redirects to /phpMyAdmin, and every other link in the DA interface to /phpmyadmin and that's giving a 404. Manually browsing to /phpMyAdmin gives a 403.
// Nvm, a ./build rewrite_confs fixed it. Maybe useful to add to the docs after enabling all this.
https://www.directadmin.com/features.php?id=2473
--
Feature works great, thanks. Suggestions;
- When this feature is enabled (SSO + One click login from DA) remove every normal link to phpmyadmin from DA (under Extra Features, link left to Create new database etc) because that's not working anymore.
- When phpmyadmin=no in options.conf, also remove every link to phpmyadmin from the DA interface
- Maybe change the text "Login" to "Login to phpMyAdmin" to make it more clearer for end users
Also:
The Login button redirects to /phpMyAdmin, and every other link in the DA interface to /phpmyadmin and that's giving a 404. Manually browsing to /phpMyAdmin gives a 403.
// Nvm, a ./build rewrite_confs fixed it. Maybe useful to add to the docs after enabling all this.
Last edited:
altayevrim
Verified User
- Joined
- Oct 6, 2019
- Messages
- 16
That's exactly what I was looking for! I still can access phpmyadmin before l logging in to DA but I think it's because of my DirectAdmin version.
V: 1.59.1
Whatever, I'll check it later on.
V: 1.59.1
Whatever, I'll check it later on.
bestariwebhost
Verified User
Thank you.. Great feature