[MOD] phpmyadmin usergroup lockdown

Section with modification and patches for Vesta
jonn
Posts: 72
Joined: Sun Jun 08, 2014 12:18 pm

[MOD] phpmyadmin usergroup lockdown

Postby jonn » Fri Feb 12, 2016 7:58 am

This mod will alter one bash script file used by vestacp and add users to pma__users automatically.
Basically this will copy the users into the pma__users table allowing you to set what they can do in phpmyadmin via the usergroups option.
This mod will allow the TABS - Databases, SQL, Export, Import, and disable the rest, nifty.

Firstly if you haven't add the phpmyadmin fixer https://forum.vestacp.com/viewtopic.php?f=14&t=10307 by skurudo. do that part first as pma database must be configured for this to work.

We are going to modify the db.sh script, this file will not survive vestacp update, you will need to apply this mod again if the db.sh is replaced on update...

There are two other ways to approach this mod this one was the fastest, only one file had to be modified, so an update later if needed would be easy.

Okay here we go..

1) First lets log into phpmyadmin as root

2) At the top there is a TAB named Users, click it...
a: click the link "User groups"
b: click the link "Add user group"
c: Name the first group "Admin" select Check all. press GO to save.
d: click the link "Add user group"
e: Name the second group "User" select Check all then under Server-level tabs uncheck everything except for;
[*] Databases
[*] SQL
[*] Export
[*] Import
everything else under Server-level tabs should be unchecked.
Database-level tabs & Table-level tabs should be all checked, but you can uncheck what you want its up to you.
f:press GO to save the "User"


Now you should see two usergroups setup under Users -> User groups. Okay see it.. good.
Lets move on to the next part...

BACKUP

Code: Select all

cp /usr/local/vesta/func/db.sh /usr/local/vesta/func/db.sh.backup_orig


OPEN

Code: Select all

nano /usr/local/vesta/func/db.sh


First we will find the section that adds the database and modify that to also add the user the the pma__users table.

FIND THIS

Code: Select all

# Create MySQL database
add_mysql_database() {
    mysql_connect $host


ADD THIS AFTER

Code: Select all

    query="INSERT INTO \`phpmyadmin\`.\`pma__users\` (username,usergroup) VALUES ('$dbuser','User')"
    mysql_query "$query" > /dev/null


Next we we alter when the database is removed to also delete the user from the pma__users table..

FIND THIS

Code: Select all

# Delete MySQL database
delete_mysql_database() {
    mysql_connect $HOST


ADD THIS AFTER

Code: Select all

    query="DELETE FROM \`phpmyadmin\`.\`pma__users\` WHERE \`pma__users\`.\`username\` = '$DBUSER' AND \`pma__users\`.\`usergroup\` = 'User'"
    mysql_query "$query" > /dev/null
   


BACKUP WITH MOD

Code: Select all

cp /usr/local/vesta/func/db.sh /usr/local/vesta/func/db.sh.backup_mod_pma



Run some tests user db tests create,delete, login as the user and see the tabs disappear etc...,
Any suggestions of modifications and patches will be amended to the first post.
Hope you can make use of this mod.

Happy coding...



//==============================//
Additional changes below are mainly for shared hosting environments, we can disable a lot of things in phpmyadmin and keep it simple for users, if you see 404/403/500 in error logs you can investigate if they are attempting to use things you clearly have disabled.
Additions======
Changes today.. 25th Feb
Additional file blocking to superuser only, and change to error display.
Disable viewing of sections to only superuser/root. ===========================
Will NOT survive a myphpadmin update.
OPEN AND EDIT ALL /usr/share/phpmyadmin/

Code: Select all

prefs_manage.php
prefs_forms.php
server_variables.php
server_status_variables.php
server_status_queries.php
server_status_processes.php
server_status.php
server_status_monitor.php
server_status_advisor.php
server_plugins.php
server_modules.php
server_engines.php
server_binlog.php


These may also need it if using under phpmyadmin 4.5.5 also check the url in address bar.

nano /usr/share/phpmyadmin/server_privileges.php
nano /usr/share/phpmyadmin/server_replication.php
nano /usr/share/phpmyadmin/server_variables.php



ADD AT TOP JUST UNDER require_once 'libraries/common.inc.php';

Code: Select all

/**
 * Checks if the user is allowed to do what he tries to...
 */
if (! $is_superuser) {
    $html = PMA_Message::error(__('No Privileges'))->getDisplay();
    $response->addHTML($html);
    exit;
}


====================================================================

Disable some globals, and also the prefs table(<--optional)

OPEN

Code: Select all

nano /etc/phpmyadmin/config.inc.php


ADD THIS TO TOP AFTER COMMENTS

Code: Select all

$cfg['PmaNoRelation_DisableWarning'] = true; /*optional hide warning if disabling [$i][userconfig] below */
$cfg['ThemeManager'] = false; /* hide dropdown select to change theme */
$cfg['ShowStats'] = false; /* hide stats */
$cfg['ShowServerInfo'] = false; /* hide server details */
$cfg['ShowPhpInfo'] = false; /* hide more server details */
$cfg['ShowChgPassword'] = false; /* hide password changing form */
$cfg['ShowCreateDb'] = false; /* hide creation of databases form */
$cfg['ShowGitRevision'] = false; /* hide more version details */


THIS IS OPTIONAL.
USE SAME FILE /etc/phpmyadmin/config.inc.php
This will disable the adding of default preferences on database creation to the pma_userconfig table, it is unnecessary.
FIND THIS

Code: Select all

$cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';

REPLACE WITH THIS

Code: Select all

$cfg['Servers'][$i]['userconfig'] = false;


.....

Return to “Modification & Patches”



Who is online

Users browsing this forum: No registered users and 1 guest