These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for What does virtualmin import databases do? on the new forum.
Web Hosting and Cloud Computing Control Panels
Or is Webmin/Virtualmin set up so that the domain owner is only supposed to have the one database that is setup when the domain is created?
I can flex any way, but I just want to know how it is supposed to work.
The Edit Database link in the virtual server gives the impression that the Virtualmin interface is designed for only 1 user to be able to access the various databases in a Virtual domain.
I get that impression because when I click on Usernames it lists the virtual server admin login, and you can change it to another username, but you can't have multiple user names here.
I basically find myself unable to add a second database to a virtual domain that a script can access.
I guess I'll have to descend down to the mysql command line to try and figure out what's going on. I haven't done that in a while. ... where is that bookstore remainder mysql book that I bought ....
Hi Ah,
Thanks for the careful explanation. How do you add uses to the virtual machine owned database? The virtual server gives the impression that the Virtualmin interface is designed for only 1 user to be able to access the various databases in a Virtual domain. I get that impression because when I click on Usernames it lists the virtual server admin login, and you can change it to another username, but you can't have multiple user names here.
Or I should ask, how do I add more than one user using VirtualMin/Edit Databases/Usernames that you only get one database login for all your databases within one Virtualmin domain.
I like to have 3: For instance the software login, a restricted login for backing up, and a superuser login.
If virtual min manages only one database login and it has to be allowed in all my databases for one domain, then I suppose I would make it the software login. I guess I have to first create it in webmin with the appropriate rights and then change it from the virtual root to the one created in webmin.
I would try and make the superuser login band back up login more universal accross all the databases on the server. But so far I have had no luck in getting my "universal logins" to work.
Well I have some progress.
I changed the database user to a custom one right in the virtualmin edit database. Also I added the database right in the virtualmin edit database. I added a couple databases using this same user sucessfully. This is the user installation scripts use. (It seems like that would be normal usage.) I saw when adding the user and database that webmin was being updated.
I figure that for security reasons, I will want to go back and remove some of this users rights. You don't want him to be able to drop tables etc. You don't want people coming in over the web to have administrator rights over your database.
I also noticed that virtual/webmin (or MySQL?) has a problem when I name a database with a name with an underscore. For instance I created a database called "blues_cms". In some screens it appears as "blues_cms" but in the webmin/MySQL Database Server/Database Permissions it appears as "blues\_cms". Some sort of escape character is being added. I also used the underscore in the dbase users name, but the "\" underscore was not added. So sometimes you need it, sometimes not. Very confusing. CPanel uses these underscores, so someone coming from CPanel could trip over this, especially if they manually removed the "\". That's me!
Now I have to figure out how to create multiple users that can access the database from the linux command line with varying rights. Namely my backup login. ... Even if I look at the Virtualmin mysql periodic backup, I'll still need my superuser access at the command line. Some of us old geezers aren't happy unless we have some sort of command prompt to type at.
Changing from one control panel to another does entail some getting used to things!
So here is my final analysis of how VirtualMin handles MySql rights.
VirtualMin uses a simplification.
The interface for Virtualin user corresponds to webmin "User Permissions". And it's a simplification of that because it only allows for one database user. There is no screen for "webmin "Data Base Permissions". Virtualmin just gives the single user all all rights on all databases under the virtual domain.
You can improve the security by making the database user only have the data manipulation rights plus the ability to lock files for backup, but then you also have to remember to give him more rights when you run an update script because updates may modify tables and drop them.
By doing it the way they did, they give you a functional system but at the cost of low security.
But security is really its own ball of wax that extends into anything and everything, complicating everything. And security is probably the only reason why people will little administration knowledge really should not be attempting to run their own servers.
It sounds like I am writing an article for a magazine doesn't it? I'm not. Those are just my observations. But I'd love to hear counter arguments.
Hey Rick,
Just wanted to chime in a bit. You're right, though I'd also point out that Virtualmin isn't intended to overlap Webmin functionality. The simplification within Virtualmin is to make a virtual hosting server easy to use--you still have the full-featured MySQL module available in Webmin.
Webmin offers a one-to-one mapping of the underlying service (MySQL in this case) and has very flexible access rules, and you can do all of the things you're saying you like to do. Virtualmin is, by design, providing a simple set of accounts for a number of services that can be expected to Just Work for the scripts that Virtualmin can install (plus the vast majority of other scripts out in the wild that require PHP/Perl/Ruby/Python, a database, etc.). The Webmin MySQL module and Virtualmin are different tools for different purposes. Virtualmin sets things up for you quickly and easily and in a way that definitely works. It also sets things up reasonably securely: MySQL users all have passwords, privileges for each database are restricted to just the user and how that user chooses to use it is up to them.
If you have a very security-intensive application (commerce apps that store credit card data comes to mind, medical data, legal data, stuff like that), I would expect you would go the extra mile and browse over to the MySQL database module and split up and lock down the data a bit more. But then, it probably shouldn't be running on a shared hosting system at all...because software bugs happen (and you never know which one will offer privilege escalation) and if you have a few hundred users on your system, one of them might be malicious.
So I don't think "low security" is really a valid claim about the default MySQL database accounts. It's the type of database account users expect, and it's perfectly valid for them to expect such access. It's an account they can use to install scripts and have them work. I don't see a big benefit to preventing database table modifications in a running application database...the application needs to be able to write to the database in order to work, so if a malicious user figures out how to exploit the application, the database is already in danger (more danger than just dropping or adding tables...inserting invalid data or reading out private data is the worst thing I can think of to do with a database, and that only requires read or write access...no table modification). One can make an argument for a new database per application, and Virtualmin already supports that.
So, we're willing to be convinced that we ought to have more flexibility in the default database permissions (it's trivial to add--we already have the functionality in the MySQL module), but you'll have to convince us that there is a real security benefit to the addition of confusing options. I think keeping them in the MySQL module is appropriate (given what I know about databases and applications, which may be less than some folks here).
--
Check out the forum guidelines!
Well I have some progress.
I changed the database user to a custom one right in the virtualmin edit database. Also I added the database right in the virtualmin edit database. I added a couple databases using this same user sucessfully. This is the user installation scripts use. (It seems like that would be normal usage.) I saw when adding the user and database that webmin was being updated.
I figure that for security reasons, I will want to go back and remove some of this users rights. You don't want him to be able to drop tables etc. You don't want people coming in over the web to have administrator rights over your database.
I also noticed that virtual/webmin (or MySQL?) has a problem when I name a database with a name with an underscore. For instance I created a database called "blues_cms". In some screens it appears as "blues_cms" but in the webmin/MySQL Database Server/Database Permissions it appears as "blues\_cms". Some sort of escape character is being added. I also used the underscore in the dbase users name, but the "\" underscore was not added. So sometimes you need it, sometimes not. Very confusing. CPanel uses these underscores, so someone coming from CPanel could trip over this, especially if they manually removed the "\". That's me!
Now I have to figure out how to create multiple users that can access the database from the linux command line with varying rights. Namely my backup login. ... Even if I look at the Virtualmin mysql periodic backup, I'll still need my superuser access at the command line. Some of us old geezers aren't happy unless we have some sort of command prompt to type at.
Changing from one control panel to another does entail some getting used to things!
Hi Joe,
I find your interface "simplications" very reasonable.
When I wrote "but at the cost of low security", I over-stated my case. I really should have said something like "at a cost of somewhat less security, but a still reasonable amount of security".
My struggles with Virtual/MySQL were more like trying to pound a square peg in a round hole than actually criticizing anything. I'm just trying to develop a mental map of the product.
I think I struggled more because of the underscore issue than anything else. That totally threw my testing off.
Thanks,
Rick B
Oops, we must have replied at about the same time.
I will file the bug report.
But I'll also describe it here. In
webmin/MySQL Database Server/Database Permissions in the "Databases" column the database called "blues_cms" appears with an unwanted backslash in front of the underscore. You recreate the problem by creating a database in virtualmin with an underscore in its name.
Rick
Hi Rick,
Very briefly, this is how it works...
- - - - - - - - - - - - - - - - - - - - - - - -
You can use Virtualmin Pro to create mysql databases via
OPTION 1
> Webmin > MySQL Database Server
OR
OPTION 2
> Virtualmin > *choose domain name via drop-down menu* > Edit Databases > Create a new database
- - - - - - - - - - - - - - - - - - - - - - - -
The difference is, with OPTION 1, the ownership of the database is not defined. If you use OPTION 2, the database created belongs to the domain name you have chosen.
Therefore, if you have created a database using OPTION 1, or have imported an existing database, and wish to have a specific domain name to use the database, do this:
> Virtualmin > Edit Databases > Import Databases > *select database that you wish the domain name to own*
- - - - - - - - - - - - - - - - - - - - - - - -
It is good practice to clearly determine the ownership of every database on your server to specific domain name for security reason. It is a bad idea to use the mysql 'root' (or a superuser) login on your php/mysql scripts. If someone successfully guessed your root password, all your databases will be compromised.
<div class='quote'>I also noticed that virtual/webmin (or MySQL?) has a problem when I name a database with a name with an underscore. For instance I created a database called "blues_cms". In some screens it appears as "blues_cms" but in the webmin/MySQL Database Server/Database Permissions it appears as "blues_cms". Some sort of escape character is being added. I also used the underscore in the dbase users name, but the "" underscore was not added. So sometimes you need it, sometimes not. Very confusing. CPanel uses these underscores, so someone coming from CPanel could trip over this, especially if they manually removed the "". That's me!</div>
Sounds like a bug (though the forum has stripped whatever character you're seeing...so I can't see a difference between the two names with underscores). File an issue about it with a way to reproduce the problem, and it'll get fixed in the next Webmin and/or Virtualmin release.
--
Check out the forum guidelines!