Security

From PmaWiki
Jump to: navigation, search

For information about vulnerabilities and security issues, please refer to the security announcements page.

While the phpMyAdmin project takes security very seriously, there are a number of ways you can make your server more secure. This page will focus primarily on securing phpMyAdmin, not MySQL itself or any other PHP scripts you happen to be running. These are suggestions, not following them won't make your system compromised but are worth familiarizing yourself with. Likewise, not all of these suggestions may apply to your situation.

While every effort is made to keep both this document and the phpMyAdmin application up-to-date and secure, the usual disclaimers apply.

Contents

[edit] auth_type http or cookie

  • In a shared server environment where others could potentially read your config.inc.php, you should use auth_type cookie or http. If you were to use config, other users may be able to read your password from config.inc.php; with cookie and http that information is not stored in the file.
  • auth_type config automatically logs a user in to the server using whatever log in name and password are in config.inc.php. If an unauthorized user is able to guess the location of your phpMyAdmin, they could gain access. Again, http or cookies is preferred for this setting.

[edit] Limit access to library files

Most webservers (Apache, IIS, and others) provide a means to limit access to certain files and directories (for example, with Apache .htaccess files). You should deny access to the ./libraries subdirectory as a security precaution.

[edit] Permissions: config.inc.php, ./scripts, etc

  • All of the phpMyAdmin files and subdirectories should be owned by your user and the group under which Apache runs.
  • config.inc.php should be chmod 660 (or 600 if your hosting uses suexec or similar solution).
  • ./scripts/ should not contain a copy of config.inc.php.

[edit] PHP Safe Mode

  • Safe mode is a PHP security method. It will be removed in PHP 6.
  • By running PHP in safe mode, other users will not be able to include your config.inc.php (which may contain sensitive information, such as your database username and password).
  • If PHP is running in safe mode, all files and subdirectories need to have the same owner.

[edit] Limit MySQL access

Properly securing MySQL is beyond the scope of this article, but here are some tips to get you started:

  • Most MySQL installations default to listening via network port 3306. In general, most users do not need this functionality (if your webserver runs on the same physical server as MySQL, you likely do not), so it's a good idea to block access either with a firewall or by changing your MySQL configuration.
  • Many MySQL installations install with an anonymous user which has limited permissions. It may be desirable to remove that user.
  • Many MySQL installations install with a root user that has an empty password. You should change the password to one that is sufficiently long and complex.
Personal tools