Fix phpMyAdmin SSO login and harden SSO/security posture

phpMyAdmin login was broken because phpmyadmin_install.sh never wired
the private phpMyAdmin copy into the web server: no Apache Alias was
registered via DirectAdmin CustomBuild, so the SSO redirect target was
unreachable. Add configure_apache_alias()/apply_apache_alias() (Alias +
Directory blocks, ./build rewrite_confs, httpd reload), detect the real
Apache group instead of hardcoding diradmin:diradmin, stop silently
swallowing chown/chmod failures, and verify an optional SHA256 for the
downloaded phpMyAdmin tarball. Extend phpmyadmin_health_check.sh to
detect a missing/incorrect Apache alias and to probe HTTP reachability.

Security hardening: scope temporary phpMyAdmin SSO MySQL roles to
127.0.0.1 instead of '%', tighten SSO ticket file permissions to 0640
(they contain a plaintext MySQL password), and log MySQL connection
failures for diagnosis instead of swallowing them silently.

Bump version to 1.2.12 and rebuild the release archive.
This commit is contained in:
Marek Miklewicz
2026-07-04 19:16:09 +02:00
parent 78e3d66d9a
commit ba64342702
14 changed files with 390 additions and 24 deletions
+1 -1
View File
@@ -14,7 +14,7 @@ case "$(basename "$PLUGIN_DIR")" in
esac
grep -Fxq "name=alt-mysql" "$PLUGIN_DIR/plugin.conf" || fail "plugin.conf name is not alt-mysql"
grep -Fxq "id=alt-mysql" "$PLUGIN_DIR/plugin.conf" || fail "plugin.conf id is not alt-mysql"
grep -Fxq "version=1.2.11" "$PLUGIN_DIR/plugin.conf" || fail "plugin.conf version is not 1.2.11"
grep -Fxq "version=1.2.12" "$PLUGIN_DIR/plugin.conf" || fail "plugin.conf version is not 1.2.12"
grep -Fq "return '/CMD_PLUGINS/alt-mysql';" "$PLUGIN_DIR/exec/lib/AppContext.php" \
|| fail "AppContext base URL is not alt-mysql"
grep -Fq "\$pluginId = 'alt-mysql';" "$PLUGIN_DIR/exec/lib/DirectAdminUser.php" \