Restrict PHPMyAdmin access

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,463
-1, I would not like this. Also it would not be more secure. On DirectAdmin phpMyAdmin is password protected with http auth, and because of that it is not possible to exploit any vulnerability from the outside. phpMyAdmin should continue to be stand alone install.

Also many shared hosting customers from time to time need to give access to phpMyAdmin to third party developers, our they want to give access to phpMyAdmin to their own customers, but they do not want to give access to DirectAdmin, then it is critical that phpMyAdmin is available outside of DirectAdmin.

What would be the next, put Roundcube webmail inside DirectAdmin so that customer of customers is not able to login without DirectAdmin access? Please do not go this route.
 

tristan

Verified User
Joined
Feb 11, 2005
Messages
404
Location
The Netherlands
What would be the next, put Roundcube webmail inside DirectAdmin so that customer of customers is not able to login without DirectAdmin access? Please do not go this route.
This is not a good comparison IMHO, imap/pop is already publicly available on a network level as well, MySQL normally is not.
 

tristan

Verified User
Joined
Feb 11, 2005
Messages
404
Location
The Netherlands
Handy and secure don't always go hand in hand unfortunately, there also is a reason others (like Cpanel) do it the way I propose.
 

myH2Oservers

Verified User
Joined
Mar 13, 2006
Messages
235
Location
Netherlands
Handy and secure don't always go hand in hand unfortunately, there also is a reason others (like Cpanel) do it the way I propose.
Didn't have the time to fully motivate my answer but I think it is necessary now: if someone only needs access to the database you can share that specific account with hem/her. In your proposal that person also needs DirectAdmin access which means that person can not only access the database but also has access to all files and emails in the account (through the filemanager). Therefore I think the current solution is the best. He/She can access the database and if needed a separate FTP account can be created with a specific folder as the homedir. This way the person cannot access other files and emails.
 

tristan

Verified User
Joined
Feb 11, 2005
Messages
404
Location
The Netherlands
That just depends on the implementation the DirectAdmin guys choose. Fully agree giving full domain access to third parties might not always be handy if you only want to give database access.
 

sparek

Verified User
Joined
Jun 27, 2019
Messages
118
This topic has been brought up before. And while I agree with the OP - this is just too heavy of a debate for me to get into.

But... I do want to add some perspective here. For those arguing that some people give their developers access to phpMyAdmin without giving them DirectAdmin access... what is preventing you from installing phpMyAdmin on your account itself and providing access to the necessary database that way? No where does it state that phpMyAdmin has to be installed at the system-level. It can very easily be installed in a directory on an account's DocumentRoot. It does not require root level access to install.
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,463
[cut]
But... I do want to add some perspective here. For those arguing that some people give their developers access to phpMyAdmin without giving them DirectAdmin access... what is preventing you from installing phpMyAdmin on your account itself and providing access to the necessary database that way? No where does it state that phpMyAdmin has to be installed at the system-level. It can very easily be installed in a directory on an account's DocumentRoot. It does not require root level access to install.
Please take into consideration of shared hosting providers. We are a shared hosting provider, and we do not allow our customers to install phpMyAdmin, because regular hosting customers can't be trusted to keep phpMyAdmin up to date whenever there is a new release with security fixes. Also they do not need to install it, because it is already globally available on our servers outside of DirectAdmin, like it should be.
 
Last edited:

sparek

Verified User
Joined
Jun 27, 2019
Messages
118
Well... OK... then what's to prevent you from installing a system-wide phpMyAdmin in /var/www/html and directing your clients to it?

Why does the control panel eco-system have to bow to one individual's need?

Now... to your point... this is the way DirectAdmin has always done phpMyAdmin access - I don't agree with it and I think it was short sighted... but it's the way it was done. So ultimately it is up to me to adapt to the way DirectAdmin is doing this rather than demand that DirectAdmin change. But I don't believe that there is anything wrong in offering an opinion as to why I think it was a short sighted decision. Improvements to a system are rarely garnered by listening to a chorus of yes men. Just because I disagree with how this was implemented doesn't mean I have any bad blood towards the DirectAdmin staff or developers. It's just simply making an observation.
 

tristan

Verified User
Joined
Feb 11, 2005
Messages
404
Location
The Netherlands
Completely agree with @sparek here.

Also, as many DirectAdmin settings, it wouldn't have to mean you can't enable public facing PHPMyAdmin, this could be just a setting like any other. Plesk also has a setting for this for example.
 

DewlanceVPS

Verified User
Joined
Oct 3, 2016
Messages
86
+1 for this feature and Server Admin can choose this option to allow Direct access to phpmyadmin or not.


Few year ago, I heard story about hacking attempt. Hacker knows mysql login details but failed to access mysql because of phpmyadmin was not directly accessible and remote access to mysql was disabled.
 

tristan

Verified User
Joined
Feb 11, 2005
Messages
404
Location
The Netherlands
John told me they're looking into a way to implement this, so fingers crossed he comes up with something elegant that keeps the option for some to keep it open to everyone.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,340
Location
LT, EU
phpmyadmin_public=yes/no has been added to CB 2.0 rev. 2221. It defaults to "yes". If you'd like phpMyAdmin to be available only for SSO from DirectAdmin, just do:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build set phpmyadmin_public no
./build phpmyadmin
 

DewlanceVPS

Verified User
Joined
Oct 3, 2016
Messages
86
phpmyadmin_public=yes/no has been added to CB 2.0 rev. 2221. It defaults to "yes". If you'd like phpMyAdmin to be available only for SSO from DirectAdmin, just do:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build set phpmyadmin_public no
./build phpmyadmin

I enabled this but now its showing "Access to phpMyAdmin is only allowed from control panel." even if logged in to admin account or user account. (DA Admin Panel >> phpMyAdmin)
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,340
Location
LT, EU
I enabled this but now its showing "Access to phpMyAdmin is only allowed from control panel." even if logged in to admin account or user account. (DA Admin Panel >> phpMyAdmin)
DA Admin Panel >> phpMyAdmin is not used for Single-Sign-On. We may either remove it at all when this feature is enabled, or.. auto-login to main user account in phpMyAdmin.
 

Erulezz

Verified User
Joined
Sep 14, 2015
Messages
435
Location
Arnhem, NL
@DewlanceVPS

https://www.directadmin.com/features.php?id=2473

--

Feature works great, thanks. Suggestions;

- When this feature is enabled (SSO + One click login from DA) remove every normal link to phpmyadmin from DA (under Extra Features, link left to Create new database etc) because that's not working anymore.
- When phpmyadmin=no in options.conf, also remove every link to phpmyadmin from the DA interface
- Maybe change the text "Login" to "Login to phpMyAdmin" to make it more clearer for end users

Also:

The Login button redirects to /phpMyAdmin, and every other link in the DA interface to /phpmyadmin and that's giving a 404. Manually browsing to /phpMyAdmin gives a 403.

// Nvm, a ./build rewrite_confs fixed it. Maybe useful to add to the docs after enabling all this.
 
Last edited:

altayevrim

Verified User
Joined
Oct 6, 2019
Messages
11
That's exactly what I was looking for! I still can access phpmyadmin before l logging in to DA but I think it's because of my DirectAdmin version.
V: 1.59.1

Whatever, I'll check it later on.
 
Top