35.13. Module Access Control

Normally, a Webmin user who has access to the MySQL Database Server module can manage all databases and use all of the module's features. As Chapter 52 explains, however, it is possible to restrict what a user can do with a module. In this case, you can grant access to only certain databases, control the directory to which backups can be written, and restrict the creation and deletion of databases. This can be useful if various databases on your server are owned by different people and you want to give each of them a Webmin login to manage only those that belong to them.

To set up this kind of module access control, follow these instructions:

1.
Click on MySQL Database Server next to the name of a user or group in the Webmin Users module who has access to the module.

2.
On the access control form, change the Can edit module configuration? field to No. This is necessary to prevent the user changing the programs that the module uses for accessing the database.

3.
In the Databases this user can manage field, choose the Selected option. Then, select the databases he should have access to from the list below.

4.
Change the Can create new databases? field to No. There is no reason that a restricted user of this type should be able to add new databases.

5.
Unless you want the user to be able to delete his own databases, change the Can drop databases? field to No. Leaving it set to Yes is harmless, though, as he will only be able to delete those to which you have granted him access.

6.
Change the Can stop and start MySQL server? field to No.

7.
If you want this Webmin user to be able to control access by MySQL users to his databases, change the Can edit permissions? field to Only for managed databases. This will give him access to the database, host, table, and field permissions pages, but limit him to viewing and editing entries for the databases to which he is granted access.

To deny access to MySQL permission management altogether, select No instead. Choosing Yes is a bad idea, as it will allow the user to create MySQL users with access to all databases on the server.

8.
If the Can edit table data? field is set to No, the user will not be able to create tables, edit fields, run SQL commands, or make backups. Instead, he will only be able to use the module's record-viewing and editing feature.

9.
When the Login to MySQL as field is set to Username from Module Config, all database actions performed by this user will be done as the MySQL user set in the module configuration—typically root. You may, however, want the Webmin user to log in as a less-privileged MySQL user as an additional security precaution. This way, even if the user finds a way to defeat the module's restrictions, he will still not be able to execute SQL commands as root.

To use a different login, select the Username option and enter a valid MySQL login and password into the adjacent fields. This alternate user must have the privileges to perform everything that the module needs to do, however, such as creating tables and possibly granting permissions.

10.
Normally, Webmin runs the mysqldump command to make backups as the root UNIX user and allows the backup file to be created anywhere on your system. Because this may allow important files to be overwritten, you should change the Backup file directory field to a safe directory in which to create backups, such as /home/someuser/backup.

Better still, the Write backup as UNIX user field should be changed to a user other than root, such as the Webmin user's UNIX login. The mysqldump command will be run as this user instead, which prevents it from being used to overwrite files.

11.
Finally, to make the new access control restrictions active, click Save.

If you want to give a large number of users access to MySQL though a web interface, an alternative to configuring the Webmin module for each user is to install Usermin. It has a MySQL module with an identical interface, and can be easily configured to limit which databases are visible. See Chapter 47 for more information.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.59.217