> The credentials in config-db.php are used only as a control user for
phpMyAdmin - it allows phpMyAdmin to manipulate it's tables without
giving all users privileges to do so.
Good thing that phpMyAdmin can work without a set of its own tables
(which are, if I'm not mistaken, for doing metamodel stuff with the
databases, which is unsuitable to a webserver setup with per-user
databases anyway).
Here's a revised list of suggestions:
1) When asking the administrator for a user name and password during
installation,
1a) inform him that this information will be accessible to anybody who can
install PHP scripts on the machine, so they don't inadvertently use a password
that protects more valuable things (this is why I think this is a security
issue),
1b) inform him what this username/password combination is good for, and give
the option to not give any at all (and inform him what functions of phpMyAdmin
will not work in that case so he can make an informed decision);
2) in Config.class.php, call is_readable("config-db.php") before doing the
require("config-db.php") call, so phpMyAdmin will not crash without an error
message. (Maybe is_readable isn't the right function for the job. It's been a
year since I did anything serious with PHP.) (This proposal may have to be
propagated upstream.)
--
phpmyadmin setup unsuitable for suexec setup
https://bugs.launchpad.net/bugs/416183
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
