[MOD] phpmyadmin usergroup lockdown
Posted: Fri Feb 12, 2016 7:58 am
This mod will alter one bash script file used by vestacp and add users to pma__users automatically.
Basically this will copy the users into the pma__users table allowing you to set what they can do in phpmyadmin via the usergroups option.
This mod will allow the TABS - Databases, SQL, Export, Import, and disable the rest, nifty.
Firstly if you haven't add the phpmyadmin fixer viewtopic.php?f=14&t=10307 by skurudo. do that part first as pma database must be configured for this to work.
We are going to modify the db.sh script, this file will not survive vestacp update, you will need to apply this mod again if the db.sh is replaced on update...
There are two other ways to approach this mod this one was the fastest, only one file had to be modified, so an update later if needed would be easy.
Okay here we go..
1) First lets log into phpmyadmin as root
2) At the top there is a TAB named Users, click it...
a: click the link "User groups"
b: click the link "Add user group"
c: Name the first group "Admin" select Check all. press GO to save.
d: click the link "Add user group"
e: Name the second group "User" select Check all then under Server-level tabs uncheck everything except for;
[*] Databases
[*] SQL
[*] Export
[*] Import
everything else under Server-level tabs should be unchecked.
Database-level tabs & Table-level tabs should be all checked, but you can uncheck what you want its up to you.
f:press GO to save the "User"
Now you should see two usergroups setup under Users -> User groups. Okay see it.. good.
Lets move on to the next part...
BACKUP
OPEN
First we will find the section that adds the database and modify that to also add the user the the pma__users table.
FIND THIS
ADD THIS AFTER
Next we we alter when the database is removed to also delete the user from the pma__users table..
FIND THIS
ADD THIS AFTER
BACKUP WITH MOD
Run some tests user db tests create,delete, login as the user and see the tabs disappear etc...,
Any suggestions of modifications and patches will be amended to the first post.
Hope you can make use of this mod.
Happy coding...
//==============================//
Additional changes below are mainly for shared hosting environments, we can disable a lot of things in phpmyadmin and keep it simple for users, if you see 404/403/500 in error logs you can investigate if they are attempting to use things you clearly have disabled.
Additions======
Changes today.. 25th Feb
Additional file blocking to superuser only, and change to error display.
Disable viewing of sections to only superuser/root. ===========================
Will NOT survive a myphpadmin update.
OPEN AND EDIT ALL /usr/share/phpmyadmin/
ADD AT TOP JUST UNDER require_once 'libraries/common.inc.php';
====================================================================
Disable some globals, and also the prefs table(<--optional)
OPEN
ADD THIS TO TOP AFTER COMMENTS
THIS IS OPTIONAL.
USE SAME FILE /etc/phpmyadmin/config.inc.php
This will disable the adding of default preferences on database creation to the pma_userconfig table, it is unnecessary.
FIND THIS
REPLACE WITH THIS
.....
Basically this will copy the users into the pma__users table allowing you to set what they can do in phpmyadmin via the usergroups option.
This mod will allow the TABS - Databases, SQL, Export, Import, and disable the rest, nifty.
Firstly if you haven't add the phpmyadmin fixer viewtopic.php?f=14&t=10307 by skurudo. do that part first as pma database must be configured for this to work.
We are going to modify the db.sh script, this file will not survive vestacp update, you will need to apply this mod again if the db.sh is replaced on update...
There are two other ways to approach this mod this one was the fastest, only one file had to be modified, so an update later if needed would be easy.
Okay here we go..
1) First lets log into phpmyadmin as root
2) At the top there is a TAB named Users, click it...
a: click the link "User groups"
b: click the link "Add user group"
c: Name the first group "Admin" select Check all. press GO to save.
d: click the link "Add user group"
e: Name the second group "User" select Check all then under Server-level tabs uncheck everything except for;
[*] Databases
[*] SQL
[*] Export
[*] Import
everything else under Server-level tabs should be unchecked.
Database-level tabs & Table-level tabs should be all checked, but you can uncheck what you want its up to you.
f:press GO to save the "User"
Now you should see two usergroups setup under Users -> User groups. Okay see it.. good.
Lets move on to the next part...
BACKUP
Code: Select all
cp /usr/local/vesta/func/db.sh /usr/local/vesta/func/db.sh.backup_origCode: Select all
nano /usr/local/vesta/func/db.shFIND THIS
Code: Select all
# Create MySQL database
add_mysql_database() {
mysql_connect $hostCode: Select all
query="INSERT INTO \`phpmyadmin\`.\`pma__users\` (username,usergroup) VALUES ('$dbuser','User')"
mysql_query "$query" > /dev/nullFIND THIS
Code: Select all
# Delete MySQL database
delete_mysql_database() {
mysql_connect $HOSTCode: Select all
query="DELETE FROM \`phpmyadmin\`.\`pma__users\` WHERE \`pma__users\`.\`username\` = '$DBUSER' AND \`pma__users\`.\`usergroup\` = 'User'"
mysql_query "$query" > /dev/null
Code: Select all
cp /usr/local/vesta/func/db.sh /usr/local/vesta/func/db.sh.backup_mod_pmaRun some tests user db tests create,delete, login as the user and see the tabs disappear etc...,
Any suggestions of modifications and patches will be amended to the first post.
Hope you can make use of this mod.
Happy coding...
//==============================//
Additional changes below are mainly for shared hosting environments, we can disable a lot of things in phpmyadmin and keep it simple for users, if you see 404/403/500 in error logs you can investigate if they are attempting to use things you clearly have disabled.
Additions======
Changes today.. 25th Feb
Additional file blocking to superuser only, and change to error display.
Disable viewing of sections to only superuser/root. ===========================
Will NOT survive a myphpadmin update.
OPEN AND EDIT ALL /usr/share/phpmyadmin/
Code: Select all
prefs_manage.php
prefs_forms.php
server_variables.php
server_status_variables.php
server_status_queries.php
server_status_processes.php
server_status.php
server_status_monitor.php
server_status_advisor.php
server_plugins.php
server_modules.php
server_engines.php
server_binlog.php
These may also need it if using under phpmyadmin 4.5.5 also check the url in address bar.
nano /usr/share/phpmyadmin/server_privileges.php
nano /usr/share/phpmyadmin/server_replication.php
nano /usr/share/phpmyadmin/server_variables.php
Code: Select all
/**
* Checks if the user is allowed to do what he tries to...
*/
if (! $is_superuser) {
$html = PMA_Message::error(__('No Privileges'))->getDisplay();
$response->addHTML($html);
exit;
}
Disable some globals, and also the prefs table(<--optional)
OPEN
Code: Select all
nano /etc/phpmyadmin/config.inc.phpCode: Select all
$cfg['PmaNoRelation_DisableWarning'] = true; /*optional hide warning if disabling [$i][userconfig] below */
$cfg['ThemeManager'] = false; /* hide dropdown select to change theme */
$cfg['ShowStats'] = false; /* hide stats */
$cfg['ShowServerInfo'] = false; /* hide server details */
$cfg['ShowPhpInfo'] = false; /* hide more server details */
$cfg['ShowChgPassword'] = false; /* hide password changing form */
$cfg['ShowCreateDb'] = false; /* hide creation of databases form */
$cfg['ShowGitRevision'] = false; /* hide more version details */
USE SAME FILE /etc/phpmyadmin/config.inc.php
This will disable the adding of default preferences on database creation to the pma_userconfig table, it is unnecessary.
FIND THIS
Code: Select all
$cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';Code: Select all
$cfg['Servers'][$i]['userconfig'] = false;