Setting up user permissions with phpMyAdmin

Ok, I have a fresh install of AppServ 2.5.3 (which includes apache, PHP, MySQL, and phpMyAdmin) running on Windows XP Pro SP1.

I get this warning upon accessing the phpMyAdmin index page:

Your configuration file contains settings (root with no password) that correspond to the default MySQL privileged account. Your MySQL server is running with this default, is open to intrusion, and you really should fix this security hole.

I’ve tried going to “Privileges” and setting a password for root - localhost and Any - localhost, but when I try to access the page again, it fails to load the config.header.inc.php and the only way I found to fix it was to reinstall the appserv package and start over again.

User 	 Host 	      Password 	 Global privileges 	 Grant 	 	
Any	%            No                 USAGE 	          No		
Any	localhost   No	          ALL PRIVILEGES 	 Yes		
root	%            No	          ALL PRIVILEGES 	 Yes		
root	localhost   No	          ALL PRIVILEGES 	 Yes

Does this process setup http authentication mode? If not, how can I? The documentation for phpMyAdmin wasn’t all that helpful.

Okay, you’ve installed MySQL, but by default the root account has no password. This is priority one. Use phpMyAdmin (if that’s what your comfortable with, and go into the MySQL database and the user table. Browse the entries.

If you are running MySQL 3.x click the SQL tab and run this query:

UPDATE user SET password=PASSWORD('your_password') WHERE user='root'

If you are running MySQL 4.x click the SQL tab and run this query:

UPDATE user SET password=OLD_PASSWORD('your_password') WHERE user='root'

Then run this query:

FLUSH PRIVILEGES;

Now, you’ll be locked out of phpMyAdmin. We’ll get back to that in a minute. Before we let phpMyAdmin in, we need to password protect it so just anyone on the Internet can’t get into your phpMyAdmin with root access.

In the directory where you have phpMyAdmin installed, create a file called .htaccess that contains the following:

AuthType Basic
AuthName "Password Required"
AuthUserFile .htpasswd

Now, hopefully you have a utility called htpasswd. From a comman prompt run:

htpasswd -c .htpasswd <username>

Put the username you want instead of <username>. It will prompt you for a password. Enter the password you want to use.

Now, restart apache. Try to load phpMyAdmin. You should get prompted for a username and password. Try out the username and password you setup above. If you get to the phpMyAdmin page (it will show an error about not accesing the database), then you can move on. If not, double check the above steps, or read up on .htaccess files and .htpasswd on the apache site (http://apache.org).

Assuming the above worked, we just have to update phpMyAdmin. Using a text editor, edit the config.inc.php in the phpMyAdmin directory. Find the line that specifies root as the username:

$cfg['Servers'][$i]['user'] = 'root';

The next line should be the password line:

$cfg['Servers'][$i]['password'] = '';

Put your password in:

$cfg['Servers'][$i]['password'] = 'your_password';

Load up phpMyAdmin, and you should be good to go.

Rats, I’m stuck already. How do you create that .htaccess file through the windows command prompt? I can’t create it from within windows.

eh, you just go to where you set the root http directory and save a file as .htaccess. You don’t need to use the command prompt to access the directory tree.

I am assuming you have total access to this computer through the GUI.

windows doesn’t like making files that start with a period. what you do is save it as htaccess.txt, then go to a command line and use ren to change it to .htaccess

Thanks, that rename did the trick

Continuting with the rest of the instructions…

[edit]:
ok, ran into a problem. After I got past the part where I run hdpasswd and restart apache, I now get this when I access phpMyAdmin through the browser:

Fatal error: Call to undefined function: pma_reloadnavigation() in E:\Program Files\AppServ\www\phpMyAdmin\header.inc.php on line 132

This is the same thing I was running into before.

Here’s what I have installed:
Apache Web Server Version 2.0.52
PHP Script Language Version 5.0.3
MySQL Database Version 4.1.8
phpMyAdmin Database Manager Version 2.6.1-rc2

continue with nos’s steps. you’re getting that error because you changed the root password to log in to mysql, and phpmyadmin doesn’t know the new password. you have to edit the configuration file for phpmyadmin and specify the new password.

Ok, I can once again can access phpMyAdmin

Now, 2 questions…what did that do? It doesn’t seem like any password protected security measures are in place when I accesses phpMyAdmin from the web.

2nd question, how can I enable http authentication (to prompt for a password), rather than config authentication (where there is no prompt)

are you not getting prompted for a password at all? that .htaccess file should have turned on apache’s http authentication.

nope, no prompt whatsoever.

Check with your host or if its your own, that the directory (or parent) has permission to use AuthConfig. Something like:

<Directory /home/www/user/>
  AllowOverride AuthConfig
</Directory>

Obviously, changing the path to the appropriate location. By default, most Apache installs have AllowOverride None which pretty much means it will ignore most things in a .htaccess file.

What file would that be in?

Also, I found a few things that were missing from the .htaccess file

AuthName "Password Required"
AuthType Basic
AuthUserFile 10.10.6.6\\phpMyAdmin\\.htpasswd
Require valid-user

With that, I now get the password prompt. However, when I try to enter the username & password that I put into the .htpasswd file, it isn’t accepted and I’m denied access (aka 401 error).

is this .htaccess file in your phpmyadmin directory? if not, it needs to be. you also need to change AuthUserFile 10.10.6.6\phpMyAdmin\.htpasswd to AuthUserFile .htpasswd

did you do that htpasswd command nos told you to? you have to run that command at the command prompt in your phpmyadmin directory.

hrm…I ran it from E:\program files\appserv\apache2\bin

[edit]: Ok, I copied the htpasswd.exe utility to the phpMyAdmin directory and ran it from the command prompt, thus creating a .htpasswd file with a username:password (encrypted).

The password is still not accepted.

This is in the httpd.conf file, correct?

Are you saying to replace all the “AllowOverride None” lines with “AllowOverride AuthConfig”? Does this mean I will have to have an .htaccess file in every directory?

The .httaccess file is not in the root www directory with the way I have it.

OR…do I only need to so this:

<Directory "E:/PROGRA~1/AppServ/www/phpMyAdmin/">
  AllowOverride AuthConfig
</Directory>

If so, where do I put that in the httpd.conf file? Is there a special place it needs to reside (before something special or after something special)?

you should only have one httpd.conf file. and no, do not change all of the AllowOverride. if you put it in the right place, your last code block is ok. if not, you just need to change the one in the first <directory> tab, which should be pointing to the root of your web files.

and no, you do not HAVE to put a .htaccess in every directory, just the ones you want to deviate from the norm in, like you phpmyadmin directory.

note that some of the commands you put in the .htaccess file also apply to all subdirectories, like the password one.

ok, I tried changing just this:

# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
    Options FollowSymLinks ExecCGI Indexes
    AllowOverride AuthConfig
</Directory>

but that didn’t do the trick.

Then I tried adding this right after it:

<Directory "E:/PROGRA~1/AppServ/www/phpMyAdmin/">
  AllowOverride AuthConfig
</Directory>

but that still didn’t work. Any ideas?

I’m attaching my httpd.conf file.

ok, I took a look at the error logs and found that I needed to change the .htpasswd directory path in the .htaccess file.

AuthName "Password Required"
AuthType Basic
AuthUserFile www/phpMyAdmin/.htpasswd
Require valid-user

Yet, I still get a “file not found” error.

[Thu Jun 02 10:14:21 2005] [error] [client 127.0.0.1] (OS 3)The system cannot find the path specified.  : Could not open password file: E:/Program Files/AppServ/apache2/www/phpMyAdmin/.htpasswd, referer: http://localhost/
[Thu Jun 02 10:14:21 2005] [error] [client 127.0.0.1] user forceflow not found: /phpMyAdmin/, referer: http://localhost/

check to make sure that the user your apache server is running under has rights to that file. if you made it in a directory outside your website directory structure then moved it in, it may not have the correct permissions.

Where do I go to check that?

[edit]: Remember, I could access the pages within the phpMyAdmin directory before I followed nos’s instructions.

[edit2]: I tried removing .htaccess and .htpasswd from the directory, and I was able to access it fine.

It looks like the problem is with the configuration of the .htaccess security.