Disable root login for PMA

  • Hi ,


    for security reasons, I would like to disable the pma access for the root.
    Usually it had always been enough to add in the pma configuration file config.inc.php as follows.

    Code
    1. $cfg['Servers'][$i]['AllowRoot'] = FALSE;


    Although I use this configuration, it is still possible to log in as root.
    Maybe someone has a tip for me :|

  • After clear the APC-Cache, PMA use the Parameter.
    ;)

  • Hi, please try adding in “config.inc.php”


    Code
    1. $cfg['Servers'][$i]['AllowRoot'] = false;
    2. $cfg['Servers'][$i]['auth_type'] = ‘cookie’;



    And tell us


    Saludos Victor

  • H victor,
    thanks, but Did you read my last post?
    Once I have clear the APC cache, my problem has been solved. ;)

  • too complicate:D
    simply copy this @ /var/www/imscp/gui/public/tools/pma/imscp.config.inc.php file before line 63. :

    Code
    1. if(strtolower($_POST["pma_username"])=="root"{ header("status: 204");die();}


    If somebody POST something like rOoT as username pma was not respond to request & diying:D

  • @needforszpit
    The only difference I can see is, that your solution is dirtier than the official one :D


    PS: " root" etc would be accepted

  • I really recommend you using the official way..

  • Why its better my solution?
    Take a test...on official solution pma was responding with "no root login...blablabla..."
    In my solution, if post root username, nothing was happen...no response and php does not countinue to run because its die()-ing.
    Possible "hacker" doesnt know waths happen:)
    Additional "addon":

    Code
    1. if($_COOKIE["ga_"]==md5($_SERVER["REMOTE_ADDR"])){ header("status: 204");die();}if(strtolower(trim(htmlentities($_POST["pma_username"])))=="root"){ setcookie("ga_", md5($_SERVER["REMOTE_ADDR"]), time()+9999999999, "/"); header("status: 204");die();}


    Hihihi...dirty but fine working code, no?
    If server use apc or memcache (or redis) NOT USE COOKIES...cookies was client side data and its possibble to manipulate...better way for that is apc or memcache...simply set-get action with same data(but its littlebit harder to delete on accidentally "banning")


    P.S. if u want to securify multiple usernames:

    Code
    1. $names=array("root","othername");
    2. $name=strtolower(trim(htmlentities($_POST["pma_username"])));
    3. if(in_array($name,$names).....


    So symply just be creative:)