I can access databases for the other VM's

Here is the scenario to replicate this issue:

  • One dedicated server
  • 2 Virtualmin Accounts (VM1, VM2)
  • Both accounts have one database
  • phpMyAdmin script was installed for both accounts

Now the interesting part.

If I am accessing https://VM1/phpmyadmin into my browser and use VM2 username and password I can get VM1 database only!

The same thing happens when accessing https://VM2/phpmyadmin and use VM1 username and password. I get VM2 database only!

Normally using VM1 username and password no matter of URL I should get the database for VM1 user. I opened a Terminal and access the database using both VM's accounts. I can use all databases without any issue for both accounts. I deleted both VM's, I created them again and I get the same issue. Is Virtualmin giving root access to these account to access any database available?

Status: 
Closed (cannot reproduce)

Comments

See bellow a full detailed version of this comment.

I order to solve this issue I have to follow these steps for every user created by Virtualmin:

mysql> select user from mysql.user;
+---------------+
| user          |
+---------------+
| vm1_user       |
| vm2_user      |
| mysql.session |
| mysql.sys     |
| root          |
+---------------+
5 rows in set (0.00 sec)

mysql> show grants for vm1_user;
+----------------------------------------------------------------------------------+
| Grants for vm1_user@%                                                             |
+----------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'vm1_user'@'%' WITH GRANT OPTION                            |
| GRANT ALL PRIVILEGES ON `vm1_user_magento`.* TO 'vm1_user'@'%' WITH GRANT OPTION  |
| GRANT ALL PRIVILEGES ON `vm1_user_roundcube`.* TO 'vm1_user'@'%' WITH GRANT OPTION |
+----------------------------------------------------------------------------------+
3 rows in set (0.00 sec)
mysql> drop user vm1_user;
Query OK, 0 rows affected (0.00 sec)

mysql> select user,host from mysql.user;
+---------------+-----------+
| user          | host      |
+---------------+-----------+
| vm2_user      | %         |
| mysql.session | localhost |
| mysql.sys     | localhost |
| root          | localhost |
+---------------+-----------+
4 rows in set (0.00 sec)

mysql> create user 'vm1_user'@'%' identified by 'password';
Query OK, 0 rows affected (0.00 sec)

mysql> show grants for vm1_user;
+-------------------------------------+
| Grants for vm1_user@%                |
+-------------------------------------+
| GRANT USAGE ON *.* TO 'vm1_user'@'%' |
+-------------------------------------+
1 row in set (0.00 sec)

mysql> grant all privileges on vm1_user_roundcube.* to 'vm1_user'@'%';
Query OK, 0 rows affected (0.00 sec)

mysql> grant all privileges on vm1_user_magento.* to 'vm1_user'@'%';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> show grants for vm1_user;
+------------------------------------------------------------------+
| Grants for vm1_user@%                                            |
+------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'vm1_user'@'%'                             |
| GRANT ALL PRIVILEGES ON `vm1_user_roundcube`.* TO 'vm1_user'@'%' |
| GRANT ALL PRIVILEGES ON `vm1_user_magento`.* TO 'vm1_user'@'%'  |
+------------------------------------------------------------------+
3 rows in set (0.00 sec)

Doing this I was able to solve this issue. From now on I am not allowed to access other databases for VM accounts. As you may see it was a matter of setting root privileges to every VM accounts by using WITH GRANT OPTION. This was possibile from Webmin/Virtualmin. I guarantee nobody run mysql command in Terminal with a root password.

Ilia's picture
Submitted by Ilia on Fri, 01/03/2020 - 05:14

Status: Active » Closed (cannot reproduce)

Hi,

This tracker for premium support only. You are welcome to use our brand new Community Forums, which we keep an eye on as well.

I can use all databases without any issue for both accounts. Is Virtualmin giving root access to these account to access any database available?

No. By default only virtual server (domain) owners are able to access their databases. You could check it in _Webmin/Severs/MySQL Database Server_, under _Global Options_ for _User Permissions_ and _Database Permissions_.