[Bug 416183] Re: phpmyadmin setup unsuitable for suexec setup
Joachim Durchholz
jo at durchholz.org
Mon Oct 19 18:11:50 UTC 2009
> The credentials in config-db.php are used only as a control user for
phpMyAdmin - it allows phpMyAdmin to manipulate it's tables without
giving all users privileges to do so.
Good thing that phpMyAdmin can work without a set of its own tables
(which are, if I'm not mistaken, for doing metamodel stuff with the
databases, which is unsuitable to a webserver setup with per-user
databases anyway).
Here's a revised list of suggestions:
1) When asking the administrator for a user name and password during installation,
1a) inform him that this information will be accessible to anybody who can install PHP scripts on the machine, so they don't inadvertently use a password that protects more valuable things (this is why I think this is a security issue),
1b) inform him what this username/password combination is good for, and give the option to not give any at all (and inform him what functions of phpMyAdmin will not work in that case so he can make an informed decision);
2) in Config.class.php, call is_readable("config-db.php") before doing the require("config-db.php") call, so phpMyAdmin will not crash without an error message. (Maybe is_readable isn't the right function for the job. It's been a year since I did anything serious with PHP.) (This proposal may have to be propagated upstream.)
--
phpmyadmin setup unsuitable for suexec setup
https://bugs.launchpad.net/bugs/416183
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list