ba64342702
phpMyAdmin login was broken because phpmyadmin_install.sh never wired the private phpMyAdmin copy into the web server: no Apache Alias was registered via DirectAdmin CustomBuild, so the SSO redirect target was unreachable. Add configure_apache_alias()/apply_apache_alias() (Alias + Directory blocks, ./build rewrite_confs, httpd reload), detect the real Apache group instead of hardcoding diradmin:diradmin, stop silently swallowing chown/chmod failures, and verify an optional SHA256 for the downloaded phpMyAdmin tarball. Extend phpmyadmin_health_check.sh to detect a missing/incorrect Apache alias and to probe HTTP reachability. Security hardening: scope temporary phpMyAdmin SSO MySQL roles to 127.0.0.1 instead of '%', tighten SSO ticket file permissions to 0640 (they contain a plaintext MySQL password), and log MySQL connection failures for diagnosis instead of swallowing them silently. Bump version to 1.2.12 and rebuild the release archive.
69 lines
1.7 KiB
Bash
Executable File
69 lines
1.7 KiB
Bash
Executable File
#!/bin/bash
|
|
set -Eeuo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
PLUGIN_DIR="$(cd "$SCRIPT_DIR/../.." && pwd)"
|
|
SETTINGS_FILE="$PLUGIN_DIR/plugin-settings.conf"
|
|
LOG_FILE="${DA_ALT_MYSQL_DB_HOOK_LOG:-$PLUGIN_DIR/data/logs/da-db-hooks.log}"
|
|
HOOK_NAME="${DA_HOOK_NAME:-$(basename "$0")}"
|
|
|
|
mkdir -p "$(dirname "$LOG_FILE")"
|
|
|
|
read_plugin_setting() {
|
|
local key="$1"
|
|
local default="$2"
|
|
local line value
|
|
[ -r "$SETTINGS_FILE" ] || {
|
|
printf '%s\n' "$default"
|
|
return 0
|
|
}
|
|
line="$(grep -E "^${key}=" "$SETTINGS_FILE" | tail -n 1 || true)"
|
|
[ -n "$line" ] || {
|
|
printf '%s\n' "$default"
|
|
return 0
|
|
}
|
|
value="${line#*=}"
|
|
value="${value%%#*}"
|
|
value="${value%\"}"
|
|
value="${value#\"}"
|
|
value="${value%\'}"
|
|
value="${value#\'}"
|
|
value="$(printf '%s' "$value" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')"
|
|
printf '%s\n' "${value:-$default}"
|
|
}
|
|
|
|
log() {
|
|
printf '[%s] hook=%s username=%s database=%s user=%s %s\n' \
|
|
"$(date '+%Y-%m-%d %H:%M:%S')" \
|
|
"$HOOK_NAME" \
|
|
"${username:-}" \
|
|
"${database:-${name:-}}" \
|
|
"${user:-}" \
|
|
"$*" >> "$LOG_FILE"
|
|
}
|
|
|
|
enabled="$(read_plugin_setting DA_ALT_MYSQL_BLOCK_NATIVE_DB_HOOKS true)"
|
|
case "$enabled" in
|
|
true|yes|on|1) ;;
|
|
*) log "native DB hook blocker disabled"; exit 0 ;;
|
|
esac
|
|
|
|
if [ "${DA_ALT_MYSQL_ALLOW_NATIVE_DB_ACTION:-0}" = "1" ]; then
|
|
log "native DB action explicitly allowed by environment"
|
|
exit 0
|
|
fi
|
|
|
|
case "$HOOK_NAME" in
|
|
*_post.sh|*_post)
|
|
log "native DirectAdmin database action observed after completion"
|
|
exit 0
|
|
;;
|
|
esac
|
|
|
|
log "blocked native DirectAdmin database action"
|
|
cat >&2 <<'EOF'
|
|
Databases on this server are managed by the MySQL plugin and the alt-mariadb instance.
|
|
Use the MySQL plugin instead of DirectAdmin native database actions.
|
|
EOF
|
|
exit 1
|