While migrating our websites to the new Ubuntu box, I set up phpmyadmin using apt-get. But that package is 4.5x while the latest version is 4.8x. Not surprisingly, the Nessus security scan needed to get http and https ports opened through the TAMU firewall detected security exploits that I hope have been fixed in the newer versions.
One option would be to just install phpmyadmin directly in /var/www/html. But I wanted to keep all the customization I had already done, and I liked having the config files in locations outside the web root so they can’t be viewed as easily by intruders.
There is probably documentation about the package somewhere, but I don’t know how to find it, so I just dug around and tried stuff to get it to work. Here’s what I figured out and what I did. phpmyadmin from the apt package installs stuff in at least 3 places
- /usr/share/phpmyadmin – this is the bulk of the codebase
- /etc/phpmyadmin – conf files for apache and for phpmyadmin
- /var/lib/phpmyadmin – misc stuff, including the blowfish secret setting and a tmp directory accessible to apache
To get it to work:
- Downloaded the latest version using wget. I did this in a user directory, but it could be anywhere
- Rename the directory /usr/share/phpmyadmin to /usr/share/phpmyadmin.apt as a backup. Maybe if the phpmyadmin distro ever catches up we can reactivate it
- symlink the new version as /usr/share/phpmyadmin
- write a tiny config.inc.php file to include /etc/phpmyadmin/config.inc.php (this may not get the all the config files, but it seems to work)
- edit /var/lib/phpmyadmin/blowfish_secret.inc.php to make the string longer
- edit /usr/share/phpmyadmin/libraries/vendor_config.php to set the tmp dir to /var/lib/phpmyadmin/tmp