Files
alt-mysql/scripts/da-integration/block_native_database_action.sh
T
Marek Miklewicz ba64342702 Fix phpMyAdmin SSO login and harden SSO/security posture
phpMyAdmin login was broken because phpmyadmin_install.sh never wired
the private phpMyAdmin copy into the web server: no Apache Alias was
registered via DirectAdmin CustomBuild, so the SSO redirect target was
unreachable. Add configure_apache_alias()/apply_apache_alias() (Alias +
Directory blocks, ./build rewrite_confs, httpd reload), detect the real
Apache group instead of hardcoding diradmin:diradmin, stop silently
swallowing chown/chmod failures, and verify an optional SHA256 for the
downloaded phpMyAdmin tarball. Extend phpmyadmin_health_check.sh to
detect a missing/incorrect Apache alias and to probe HTTP reachability.

Security hardening: scope temporary phpMyAdmin SSO MySQL roles to
127.0.0.1 instead of '%', tighten SSO ticket file permissions to 0640
(they contain a plaintext MySQL password), and log MySQL connection
failures for diagnosis instead of swallowing them silently.

Bump version to 1.2.12 and rebuild the release archive.
2026-07-04 19:16:09 +02:00

69 lines
1.7 KiB
Bash
Executable File

#!/bin/bash
set -Eeuo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
PLUGIN_DIR="$(cd "$SCRIPT_DIR/../.." && pwd)"
SETTINGS_FILE="$PLUGIN_DIR/plugin-settings.conf"
LOG_FILE="${DA_ALT_MYSQL_DB_HOOK_LOG:-$PLUGIN_DIR/data/logs/da-db-hooks.log}"
HOOK_NAME="${DA_HOOK_NAME:-$(basename "$0")}"
mkdir -p "$(dirname "$LOG_FILE")"
read_plugin_setting() {
local key="$1"
local default="$2"
local line value
[ -r "$SETTINGS_FILE" ] || {
printf '%s\n' "$default"
return 0
}
line="$(grep -E "^${key}=" "$SETTINGS_FILE" | tail -n 1 || true)"
[ -n "$line" ] || {
printf '%s\n' "$default"
return 0
}
value="${line#*=}"
value="${value%%#*}"
value="${value%\"}"
value="${value#\"}"
value="${value%\'}"
value="${value#\'}"
value="$(printf '%s' "$value" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')"
printf '%s\n' "${value:-$default}"
}
log() {
printf '[%s] hook=%s username=%s database=%s user=%s %s\n' \
"$(date '+%Y-%m-%d %H:%M:%S')" \
"$HOOK_NAME" \
"${username:-}" \
"${database:-${name:-}}" \
"${user:-}" \
"$*" >> "$LOG_FILE"
}
enabled="$(read_plugin_setting DA_ALT_MYSQL_BLOCK_NATIVE_DB_HOOKS true)"
case "$enabled" in
true|yes|on|1) ;;
*) log "native DB hook blocker disabled"; exit 0 ;;
esac
if [ "${DA_ALT_MYSQL_ALLOW_NATIVE_DB_ACTION:-0}" = "1" ]; then
log "native DB action explicitly allowed by environment"
exit 0
fi
case "$HOOK_NAME" in
*_post.sh|*_post)
log "native DirectAdmin database action observed after completion"
exit 0
;;
esac
log "blocked native DirectAdmin database action"
cat >&2 <<'EOF'
Databases on this server are managed by the MySQL plugin and the alt-mariadb instance.
Use the MySQL plugin instead of DirectAdmin native database actions.
EOF
exit 1