I am searching for the best solution of the following:
I need to give somebody access to one (out of many) specific database on my MySQL server through PhpMyAdmin or a similar tool.
I am not allowed to create a new MySQL user account.
Therefore I am thinking of creating a cover-up username and password (the credentials might be stored in some table or even directly in PHP somewhere around PMA), with which my somebody would log in to PMA.
PMA would use a securely stored real username and password to connect to my MySQL server. But my somebody would never see the actual database username and password. He would only see and be able to edit tables within the one specified database on my server.
Is this somehow achievable? Thank you!
PMA has a configuration for this.
$cfg['Servers'][$i]['only_db']
Read about it in the documentation: https://docs.phpmyadmin.net/en/latest/config.html
But this does not restrict the privileges of the user. It only makes the user interface show a limited subset of databases to the user. If they know the name of some other databases (or can query them from INFORMATION_SCHEMA.SCHEMATA), they can still access those databases.
If you want to enforce privileges to only a few databases, you'll have to create a distinct MySQL user and limit their privileges with GRANT.
Re your comments:
It sounds like you need to store the MySQL credentials in your PMA config file (and set $cfg['Servers'][$i]['auth_type'] to 'config'). Then you can use Apache HTTP authentication to restrict access to your PMA site (or directory), and you can create multiple user credentials at the Apache level.
phpMyAdmin is not designed to work like this; it uses the MySQL authentication structure without imposing any additional login restrictions.
One part of your requirements (not sharing the actual username and password) might be solved by using the config or signon authentication method, but that still doesn't impose any additional restrictions on the user once they log in so they'd have the same access that your user account has.
Unfortunately for you, if you aren't able to create another user account it's going to be difficult to share the account without giving them the same level of access.
I want to give a remote site (owned my someone else) access to the mysql database on my server that is password protected, but I dont want to reveal the actual password to them.
Is it possible to have the mysql access file (with username and pswd) on my server, and they just connect through it, so that their site can access data in my MYSQL db, but I am not actually openely revealing the pswd to them.
Can such access also be give on a read only basis. I just want to make it so they can query the database, but not download the whole database or make changes to it.
The remote party will need credentials to be able to do anything with your MySQL database. Even if you were to open up some sort of file share to let them get to the physical files, that still doesn't let them do anything with the files (and it is not a good idea to expose the actual files outside of the database server).
Setup a separate user account just for them that provides them with just the permissions they need.
You can limit which MySQL databases the are allowed to access, and exactly what they can do in each individual database.
https://dev.mysql.com/doc/refman/5.5/en/adding-users.html
I am trying to configure the Apache FtpServer for windows, and i've got most of it running already, however I am having difficulty understanding the database user manager...
I am more or less a complete newbie to this and SQL, however I already have an FTP server up and running in Linux using VSFTPD. the company wants to migrate from linux to windows, and I have to create accounts for close to 5,000 users (which is why I want to use the database manager).
Here are my questions:
I can see that the xml configuration controls the connection to the database, but how does it control authentication? can someone explain which section handles user authentication from the database? EDIT: by user authentication, I do not mean the database connection itself, but rather how FTPServer authenticates a connection THROUGH the database.
How can I prevent / detect brute-force attempts against my server? our current linux ftp server uses DenyHosts for port 22 (ssh) and is hit by attacks at LEAST 20+ times a week, is there any kind of built-in authentication protection, and if not, can anyone suggest a way to create one? I know that the xml config has themax-login-failuressetting, which closes the connection after a certain number of attempts, but I need it to completely deny any further access from that IP, and not just close the connection.
Example:
Any attempt to log in with the following usernames results in immediate IP-BAN:
Root
Admin
Administrator
System
etc
Other settings
Attempts for non-existing users results in IP-BAN after # attempts for IP (including different users)
Attempts for existing users results in 60-second time out after # attempts (including different users)
Any and all help would be greatly appreciated. If you have any questions or require clarification on anything, please post a comment and I will make any necessary changes / replies.
Thanks.
See the example under Data source configuration here
Apache Ftpserver does not provide this functionallity out of the box. You either have to extend it and program this yourself, or use some external system that parses its log files and dynamically add/remove firewall rules (something like what fail2ban does on linux)
I was wondering if the is a way or tool that will enable me to have access history/report to my MySQL database (I have no root/shell access on the server). I would like to be able to know when and what user accessed the database, and which table, if possible.
Thanks!
The mysql general query log is used for this but you need access to the server and database to enable it. Be aware, even with connections logged like this, if requests are made from scripts on the server, I ain't sure this will give you the ip as the request is made from localhost.
Tackling a strange scenario here.
We use a proprietary workstation management application which uses mySQL to store its data. Within the application they provide number of reports, such as which user logged into which machine at what time, all the software products installed on the monitored machines, so on and so forth. We are looking to do a different set of reports, however, they do not support custom reports.
Since their data is being stored in mySQL, I gather I can do the reporting manually. I don't have valid credentials to connect to the mySQL server though. Is there anyway for me to create a user account in the mySQL server? I do not want to reset the root password or anything account that might be in there, as it might break the application.
I have full access to the Windows 2003 server. I can stop and restart services, including the mySQL server. To the actual mySQL server, I only have basic access through the GUI provided by the software. I can't connect to it directly through CLI or through another tool (due to the lack of credentials).
I apologize if it came off as if I'm trying to get unauthorized access to the mySQL server. I have contacted the software company, and as of today it's been two weeks without a response from them. I need to get to the data. I have full access to the physical box, I have admin privileges on it.
You'll want to use the MySQL password recovery process. Follow these instructions, except replace the password reset query with a query to add a new user. The new user query would be something like:
GRANT ALL ON *.* TO 'myuser'#'localhost' IDENTIFIED BY 'mypassword' WITH GRANT OPTION;
That will create a new user "myuser" with the password "mypassword", who may log in to MySQL through the local system's CLI. You can then use the MySQL Administrator GUI (download here) and update user permissions so you can log in from other systems on the network. Or use the GRANT statement from the CLI, if that's more your style.
Do you have access to the MySQL server in question?
As in, what access do you have beyond what a regular user would? You should try to go through those routes before you "hack" your way in there, since that may or may not be feasible with that software.
odds are there are triggers on the database side keeping a log so when you hack yourself into the database they will know when and how you did it. Not a good idea.
I assume I really should not answer this one, but it's just too much fun.
Look at This page about SQL injections. That should cover your needs.
This page shows how to add user accounts to mySQL
I would try entering the following in random user input fields:
p'; INSERT INTO user VALUES
('localhost','myNewAdmin',PASSWORD('some_pass'),
'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
and then
p'; FLUSH PRIVILEGES;
p'; is intended to close the regular question. e.g -
Normal question is:
"Select Adress from cusomers where custName = ' + $INPUT + ';
becomes
Select Adress from cusomers where custName = 'p'; INSERT INTO user
VALUES('localhost','myNewAdmin',PASSWORD('some_pass'),
'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
One thing that comes in mind is sniffing the database communication and hope it's not encrypted. If it is encrypted try changing the configuration not to use SSL and restart mysql. A good sniffer that I use is Wireshark
From mysql 5.0 documentation:
MySQL supports secure (encrypted)
connections between MySQL clients and
the server using the Secure Sockets
Layer (SSL) protocol. This section
discusses how to use SSL connections.
It also describes a way to set up SSH
on Windows. For information on how to
require users to use SSL connections,
see the discussion of the REQUIRE
clause of the GRANT statement in
Section 12.5.1.3, “GRANT Syntax”.
The standard configuration of MySQL is
intended to be as fast as possible, so
encrypted connections are not used by
default. Doing so would make the
client/server protocol much slower.
Encrypting data is a CPU-intensive
operation that requires the computer
to do additional work and can delay
other MySQL tasks. For applications
that require the security provided by
encrypted connections, the extra
computation is warranted.
MySQL allows encryption to be enabled
on a per-connection basis. You can
choose a normal unencrypted connection
or a secure encrypted SSL connection
according the requirements of
individual applications.
Secure connections are based on the
OpenSSL API and are available through
the MySQL C API. Replication uses the
C API, so secure connections can be
used between master and slave servers.
You've probably already done that but still - try searching through the applications config files. If there's nothing - try searching through the executables/source code - maybe it's in plaintext if you're lucky.