Re: [cobalt-security] phpmyadmin protected by >htaccess

["storage@xxxxxxxxxxxxx" <storage@xxxxxxxxxx>]

Robbert Hamburg <rhamburg@xxxxxx> said:

> I have a question which I think can be a potential security risk for my
> server. Let me explain.
> I want to install phpmyadmin and want to protect it with a htaccess file.
> For normal users it should be enough however I think that it isn;t enough
> for more advanced users.
> Can you please tell me what risk I run on my server doing it the way
> discribed above for using phpmyadmin, run under a subdomain.
> Perhaps you have some thoughts about setting it up better protected.
>
RTFM. Specifically, the section in the phpmyadmin docs about advanced 
authentication.

Basicically, advanced authentiation emulates basic HTTP authentication using 
the MySQL authentication database. All you need to do is set up a MySQL user 
that only has SELECT access on the 'mysql' database, and use that username 
and password in the config file.

When a user tries to access phpmyadmin, she's prompted for a username and 
password (like with .htaccess authentication). That username and password is 
checked against the mysql auth database, and she's given access whatever 
you've configured that user for.

Of course, if you use this method, you have to ensure that the user only has 
access to the appropriate databases/tables/fields. You do this with the 
standard MySQL authentication/access methods.

For example, say you have a user 'betty', and you want to give her access to 
a 'betty' database. You set up a MySQL user called 'betty' (for example) with 
NO permissions in the 'user' table in the 'mysql' database. Then you give her 
the permissions you want to allow her in the 'db' table in 'mysql'. And so on.

Again, RTFM. Only this time I mean TF MySQL M.

HTH,
adam