[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] phpmyadmin protected by >htaccess
- Subject: Re: [cobalt-security] phpmyadmin protected by >htaccess
- From: "storage@xxxxxxxxxxxxx" <storage@xxxxxxxxxx>
- Date: Tue, 6 Mar 2001 23:02:05 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Robbert Hamburg <rhamburg@xxxxxx> said:
> I have a question which I think can be a potential security risk for my
> server. Let me explain.
> I want to install phpmyadmin and want to protect it with a htaccess file.
> For normal users it should be enough however I think that it isn;t enough
> for more advanced users.
> Can you please tell me what risk I run on my server doing it the way
> discribed above for using phpmyadmin, run under a subdomain.
> Perhaps you have some thoughts about setting it up better protected.
>
RTFM. Specifically, the section in the phpmyadmin docs about advanced
authentication.
Basicically, advanced authentiation emulates basic HTTP authentication using
the MySQL authentication database. All you need to do is set up a MySQL user
that only has SELECT access on the 'mysql' database, and use that username
and password in the config file.
When a user tries to access phpmyadmin, she's prompted for a username and
password (like with .htaccess authentication). That username and password is
checked against the mysql auth database, and she's given access whatever
you've configured that user for.
Of course, if you use this method, you have to ensure that the user only has
access to the appropriate databases/tables/fields. You do this with the
standard MySQL authentication/access methods.
For example, say you have a user 'betty', and you want to give her access to
a 'betty' database. You set up a MySQL user called 'betty' (for example) with
NO permissions in the 'user' table in the 'mysql' database. Then you give her
the permissions you want to allow her in the 'db' table in 'mysql'. And so on.
Again, RTFM. Only this time I mean TF MySQL M.
HTH,
adam