Apache Friends Support Forum

[regriff]

A few questions about phpMyAdmin:

When I first click on phpMyAdmin I see the following message on the right:

"Your configuration file contains settings (root with no password) that correspond to the default MySQL privileged account. Your MySQL server is running with this default, is open to intrusion, and you really should fix this security hole."

I am assuming these security holes are the users with no passwords in the Privileges section. When I click the Privileges tab I see this:

User overview

User -------Host -----Password --- Global privileges --- Grant
Any ----------- % ---------- No ---------------- USAGE ------------- No
pma ------- localhost ------ No ------------ ALL PRIVILEGES ------ Yes
root ------- localhost ------ No ------------ ALL PRIVILEGES ------ Yes
testuser --- localhost ---- Yes ------------ ALL PRIVILEGES ------ Yes

Can I delete all the users and create my own? What is PMA? Global privileges? Grant? What do I need to change to secure phpMyAdmin? Thank you all emensely for your assistance.

[Wiedmann]

Can I delete all the users and create my own?

All, except off "root" and "pma".
http://www.apachefriends.org/en/faq-xam ... #password0

What is PMA?

A service User for phMyAdmin. You should secure it too.
http://www.phpmyadmin.net/documentation/

Global privileges? Grant?

Different privileges:
http://dev.mysql.com/doc/mysql/en/Privilege_system.html

[regriff]

Thank you very much! One problem. When changing the password of the PMA I am getting errors.

I getting this error:

MySQL said:

#1045 - Access denied for user: 'pma@localhost' (Using password: NO)

I followed your instructions to change the user root and it seemed to work fine. However, when I attempted the same process on user PMA I was able to change the password using the console command but when I tried to find it in the config.inc.php I was unable to and I'm guessing that's why I am getting this error. What am I doing wrong?

[Wiedmann]

#1045 - Access denied for user: 'pma@localhost' (Using password: NO)

You must change the setting in "config.inc.php", too.

[regriff]

Can you give me an idea of where to find the PMA data to change in the config file? I did a search and cannot find a string like the root one for pma. Thank you.

[Wiedmann]

You can read that in the documentation at phpmyadmin.net ...

Code: Select all

$cfg['blowfish_secret'] = 'password'; // $cfg['blowfish_secret'] = 'password';
$cfg['Servers'][$i]['controluser']   = 'pma';       // MySQL control user settings
                                                    // (this user must have read-only
$cfg['Servers'][$i]['controlpass']   = '';          // access to the "mysql/user"
                                                    // and "mysql/db" tables)

[regriff]

Thanks again, you're wonderful! I wasn't searching for the label 'controluser', thank you!

[regriff]

User ANY , Global Privileges USAGE

What exactly is the ANY user? Is that referring to anyone that comes to my site and wants to see something on the page, or is this just for administrative purposes and I do not need to have a ANY user? Thank you!!

[Wiedmann]

What exactly is the ANY user?

Hmm, any user is any user --> everybody

Is that referring to anyone that comes to my site and wants to see something on the page

These privileges (for "root", "pma", "ANY") only effect the access to MySQL.

and I do not need to have a ANY user?

I don't know, it's your server But normaly, you don't need the "ANY" user and you should delete it.

[regriff]

Thank you immensely for all your help. You've taught me so much, thank you thank you!!

~Ryan

[sckoh]

I configured as below. Is it okay?
How about HOST name %?

USER HOST PWD PRIVILEGES GRANT
pma localhost YES ALL PRIVILEGES YES
root % NO USAGE NO
root localhost YES ALL PRIVILEGES YES

[Dave_L]

pma should look like this: pma localhost No USAGE No

You need to click the edit icon at the right to see the detailed grants for that user.

pma (phpMyAdmin control user) only needs some very restricted privileges. These are explained in the Documentation.html file in the phpMyAdmin directory, in the section "Using authentication modes".

And if you're using phpMyAdmin >= 2.6.1 and MySQL >= 4.1.2, you may not need that user at all. From Documentation.html for phpMyAdmin 2.6.1-pl2:

Note: starting with phpMyAdmin 2.6.1, configuring the controluser to enable HTTP and cookie authentication applies only to MySQL servers older than 4.1.2.

[fumbling]

I had a similar issue. When I tried to change the password, I got the following error:

Error
SQL query:

SET PASSWORD FOR 'root'@'[my email address here]' = PASSWORD( '*********' )

MySQL said:

#1133 - Can't find any matching row in the user table

where it reads [my email address here] in the above is my email address. That looks like it could be the problem, because essentially it reads 'root'@[something]@[something].com, which can't be right with two @ symbols I wouldn't think.

Any ideas?

[Izzy]

Are you using PMA or command console for example.

Do you think you could tell us what you are doing in more detail please or start a new topic perhaps.

BTW this topic is nearly 5 years old and all XAMPP components have changed considerably over the years.

[fumbling]

Thanks, I created a new thread with more details here:

viewtopic.php?f=16&t=32890

Appreciate your help.