Monday, October 13, 2008

Securing MAMP

I'm quoting this post to insure I don't loose this information:
Installing MAMP
To install MAMP, download the latest disk image file and mount the image and copy the “MAMP” folder to your Applications folder. Note that MAMP MUST be installed in the Applications folder to work properly. Once the copy is complete, the installation is complete and ready to use. MAMP in a freshly installed state is not safe to use in a production environment. The next few sections will explain how to secure your installation of MAMP.
Securing MySQL
If you are going to install a PHP/MySQL based application, the first thing to change is the MySQL root password. Open the terminal and type the following:
/Applications/MAMP/bin/mysql4/bin/mysqladmin -u root -p password NEWPASSWORD
Instead of NEWPASSWORD use the new password you want.
Afterwards, you also need to change the password for phpMyAdmin and other scripts which are running under MAMP. You can change the password for phpMyAdmin in the following file:
‘/Applications/MAMP/bin/phpMyAdmin-X.X.X/config.inc.php’
Be sure to edit this file in a plain text editor such as BBEdit or TextWrangler.
The password is set on line 86 of the document and by default is set to “root”.
$cfg['Servers'][$i]['password'] = 'root';
Change ‘root‘ to the password set previously in the terminal. Now you can close and save config.inc.php and phpMyAdmin is now using the new MySQL password you set.
The next script we will change is located at /Applications/MAMP/bin/mamp/index.php
$link = @mysql_connect(’:/Applications/MAMP/tmp/mysql/mysql.sock’, ‘root’, ‘root’);
The second instance of root is the password the script is providing to MySQL. Change this to your new root password. Once that is changed, you can save and close the file. Thanks for the catch Alexandre!
The next thing we will change is the stop MySQL script MAMP uses to stop the MySQL process. The file we are going to modify is located at ‘/Applications/MAMP/bin/stopMysql.sh’. The contents of the file is as follows:
# /bin/sh
/Applications/MAMP/bin/mysql4/bin/mysqladmin -u root -proot --socket=/Applications/MAMP/tmp/mysql/mysql.sock shutdown
You will notice that the script saves the MySQL user id and password in the file as -u root for the userid and -proot for the password. We are just going to change the password for the script so when we quit MAMP, MySQL will also quit.
In order to change the password, in the section that is -proot change this to -pNEWPASSWORD where 'NEWPASSWORD' is the password set previously in the terminal. Close and save this file.
If MAMP is running, go to the phpMyAdmin page and see if you can access the databases. If you are able to, then phpMyAdmin is configured correctly to use the new password. Now try to Stop the servers for MAMP, if successful, both servers should stop. If MySQL does not stop, check the stopMysql.sh script again and check the password.
Securing the Admin section of MAMP
You may have noticed that the ’start page’ for MAMP is located at ‘http://localhost/MAMP/’ and this is where you can administer your databases and other settings for MAMP. If anyone figures out you are running MAMP, (identifiable by the favicon), they would be able to go straight to the phpMyAdmin section and drop entire databases. This is a security hole that needs to be fixed. For this solution, we will use .htaccess and an .htpasswd file to secure the folder. The .htpasswd file is what will hold the encrypted password for Apache to authenticate. The .htaccess file is what tells Apache to look at the .htpasswd file to authenticate against. Go to Dynamic Drive’s online .htpasswd tool to create an .htpasswd file and corresponding .htaccess.
The first section wants a username that you will use to access the protected folder. This can be anything you want. The second box will want a password that is valid for the user you just input. This can also be anything you want. In the second section, this is requesting the path to the .htpasswd file. We will put these files in ‘/Applications/MAMP’. Once these file are in place if you try to navigate to http://localhost/MAMP/ you will be presented with a dialog box requesting userid and password. Type in your corresponding userid and password and you should then be granted access to the start page where you can then administrate your databases.
I hope you find this tutorial useful and if there are any corrections or additions you would like to see added, feel free to leave a comment or send me an email.
UPDATE 02-23-06
I’ve added Alexandre’s tip to the article and have fixed an encoding error which made the code bits messy and incorrect. Hat tip to Joshua! Thanks for the tips!

1 comment:

Anonymous said...
This comment has been removed by a blog administrator.