tony
/
mb-admin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added idempotency and more security

main
Anthony 2025-08-27 01:46:27 +08:00
parent ff507b6e07
commit 6f28eaed93
2 changed files with 97 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
scripts/dbreset.sh
View File

@ -1,8 +1,42 @@
#!/bin/bash #!/bin/bash
set -euo pipefail
PMA_PASS_FILE="/var/lib/jelastic/keys/pma_root_pass"
PMA_CONFIG="/etc/phpMyAdmin/config.inc.php"
# Ensures phpMyAdmin config is set for automatic login with the given password
ensure_pma_config() {
local password="$1"
echo "🔧 Ensuring phpMyAdmin config is up-to-date..."
# Use a different delimiter for sed to handle special characters in the password
sudo sed -i "s|\(\['password'\]\s*=\s*'\)[^']*'|\1$password'|" "$PMA_CONFIG"
if ! sudo grep -q "\['auth_type'\]" "$PMA_CONFIG"; then
echo "\$cfg['Servers'][\$i]['auth_type'] = 'config';" | sudo tee -a "$PMA_CONFIG" > /dev/null
else
sudo sed -i "s/\(\['auth_type'\]\s*=\s*'\)[^']*'/\1config'/" "$PMA_CONFIG"
fi
if ! sudo grep -q "\['user'\]" "$PMA_CONFIG"; then
echo "\$cfg['Servers'][\$i]['user'] = 'root';" | sudo tee -a "$PMA_CONFIG" > /dev/null
else
sudo sed -i "s/\(\['user'\]\s*=\s*'\)[^']*'/\1root'/" "$PMA_CONFIG"
fi
}
# If password file exists, just re-apply the config. This is the fast, idempotent path.
if [ -f "$PMA_PASS_FILE" ] && [ -s "$PMA_PASS_FILE" ]; then
echo "🔑 Root password file found. Re-configuring phpMyAdmin without DB reset."
stored_password=$(sudo cat "$PMA_PASS_FILE")
ensure_pma_config "$stored_password"
exit 0
fi
# --- First time execution: Full password reset ---
echo "🔑 Root password file not found. Performing first-time password reset."
# Generate a secure password # Generate a secure password
new_password=$(openssl rand -base64 12) new_password=$(openssl rand -base64 12)
echo "🔐 New MariaDB root password will be: $new_password"
# Stop MariaDB # Stop MariaDB
echo "🛑 Stopping MariaDB service..." echo "🛑 Stopping MariaDB service..."
@ -12,10 +46,11 @@ sleep 3
# Start MariaDB in safe mode # Start MariaDB in safe mode
echo "🔧 Starting MariaDB in safe mode (skip-grant-tables)..." echo "🔧 Starting MariaDB in safe mode (skip-grant-tables)..."
sudo mysqld_safe --skip-grant-tables --skip-networking --skip-name-resolve & sudo mysqld_safe --skip-grant-tables --skip-networking --skip-name-resolve &
PID=$!
sleep 5 sleep 5
# Check if mysqld is running # Check if mysqld is running
if ! pgrep mysqld > /dev/null; then if ! ps -p $PID > /dev/null; then
echo "❌ Failed to start mysqld_safe. Exiting." echo "❌ Failed to start mysqld_safe. Exiting."
exit 1 exit 1
fi fi
@ -48,21 +83,14 @@ sudo systemctl start mariadb
if sudo systemctl is-active --quiet mariadb; then if sudo systemctl is-active --quiet mariadb; then
echo "✅ MariaDB is running." echo "✅ MariaDB is running."
echo "🔐 Root password has been reset to: $new_password" ensure_pma_config "$new_password"
echo ""
echo "📌 IMPORTANT:" # Save the new password for future runs
echo " 1. Update /etc/phpMyAdmin/config.inc.php:" echo "$new_password" | sudo tee "$PMA_PASS_FILE" > /dev/null
echo " \$cfg['Servers'][\$i]['user'] = 'root';" sudo chmod 600 "$PMA_PASS_FILE"
echo " \$cfg['Servers'][\$i]['password'] = '$new_password';" sudo chown root:root "$PMA_PASS_FILE"
echo " \$cfg['Servers'][\$i]['auth_type'] = 'config';" echo "✅ New root password securely stored for future runs."
echo ""
echo " 2. Restart the database node in the Virtuozzo control panel!"
echo " This ensures Apache/phpMyAdmin can reconnect."
else else
echo "❌ Failed to start MariaDB. Run: sudo systemctl status mariadb" echo "❌ Failed to start MariaDB. Run: sudo systemctl status mariadb"
exit 1 exit 1
fi fi
sudo sed -i "s/\(\['password'\]\s*=\s*'\)[^']*'/\1$new_password'/" /etc/phpMyAdmin/config.inc.php
sudo sed -i "s/\(\['auth_type'\]\s*=\s*'\)[^']*'/\1config'/" /etc/phpMyAdmin/config.inc.php
sudo sed -i "s/\(\['user'\]\s*=\s*'\)[^']*'/\1root'/" /etc/phpMyAdmin/config.inc.php

54
scripts/pma-gateway/create_pma_gateway.sh
View File

@ -50,6 +50,46 @@ base=$(printf "%s" "$data" | base64 | tr -d '\n')
mac=$(php -r "echo hash_hmac('sha256', '$data', '$SECRET');") mac=$(php -r "echo hash_hmac('sha256', '$data', '$SECRET');")
token="$base.$mac" token="$base.$mac"
# Secure the phpMyAdmin vhost with Rewrite Rules to block direct access
VHOST_CONFIG="/usr/share/phpMyAdmin/vhost.conf"
NEEDS_RESTART=0
if [ -f "$VHOST_CONFIG" ]; then
MARKER="# PMA Gateway Security Rules"
# If rules are not already in place, add them.
if ! sudo grep -qF "$MARKER" "$VHOST_CONFIG"; then
# Remove any existing rewrite block to ensure a clean state.
sudo sed -i '/\s*<rewrite>/,/<\/rewrite>/d' "$VHOST_CONFIG"
# Define the new rewrite block using a temporary file to avoid escaping issues.
REWRITE_TMP=$(mktemp)
cat > "$REWRITE_TMP" <<'EOF'
<rewrite>
<enable>1</enable>
<logLevel>0</logLevel>
<rules>
# PMA Gateway Security Rules
# Allow access to the gateway scripts themselves
RewriteCond %{REQUEST_URI} ^/access-db-.*\.php$
RewriteRule .* - [L]
# For all other requests, block if the security cookie is not present
RewriteCond %{HTTP_COOKIE} !pma_access_granted
RewriteRule .* - [F,L]
</rules>
</rewrite>
EOF
# Use awk to insert the new block before the </vhssl> tag for robustness
sudo awk -v r="$(cat $REWRITE_TMP)" '{if (/\s*<vhssl>/) print r} {print}' "$VHOST_CONFIG" | sudo tee "$VHOST_CONFIG" > /dev/null
rm -f "$REWRITE_TMP"
NEEDS_RESTART=1
fi
else
echo "Warning: phpMyAdmin vhost config not found at $VHOST_CONFIG. Cannot apply security rules." >&2
fi
sudo tee "$GATEWAY_FILE" >/dev/null <<'PHP' sudo tee "$GATEWAY_FILE" >/dev/null <<'PHP'
<?php <?php
// Secure phpMyAdmin gateway auto-generated, do NOT edit manually. // Secure phpMyAdmin gateway auto-generated, do NOT edit manually.
@ -84,6 +124,7 @@ if (strpos($data, ':') === false) {
list($slug, $exp) = explode(':', $data, 2); list($slug, $exp) = explode(':', $data, 2);
if (time() > intval($exp)) { if (time() > intval($exp)) {
unlink(__FILE__); // Self-destruct if expired
deny(); deny();
} }
@ -92,8 +133,9 @@ if (!hash_equals($sig, hash_hmac('sha256', $data, $secret))) {
deny(); deny();
} }
// Issue short-lived cookie (same expiry as token) and redirect to phpMyAdmin root // Issue a short-lived cookie that the rewrite rule looks for.
setcookie('pma_token', $sig, intval($exp), '/', '', true, true); // This cookie acts as the temporary pass.
setcookie('pma_access_granted', $sig, intval($exp), '/', '', true, true);
header('Location: /'); header('Location: /');
exit; exit;
?> ?>
@ -102,5 +144,13 @@ PHP
sudo chown litespeed:litespeed "$GATEWAY_FILE" sudo chown litespeed:litespeed "$GATEWAY_FILE"
sudo chmod 644 "$GATEWAY_FILE" sudo chmod 644 "$GATEWAY_FILE"
# Restart LiteSpeed if we modified the config
if [[ "${NEEDS_RESTART:-0}" -eq 1 ]]; then
echo "Applying security rules and restarting LiteSpeed..." >&2
if ! sudo systemctl restart lsws; then
echo "Warning: LiteSpeed restart failed. Manual restart may be required." >&2
fi
fi
URL="https://$ENV_HOST:8443/access-db-$SLUG.php?token=$token" URL="https://$ENV_HOST:8443/access-db-$SLUG.php?token=$token"
echo "$URL" echo "$URL"