Database Security Issue: users from any domain allowed even if remote access off

There is no security issue here and no security implications at all. What prevents another user from accessing a database on the same server is the username and password of that database, that's why a username and password is used. Btw, this is the case for any hosting or IT system, not depending on ISPConfig and not even depending on a specific database system. If you want to prevent that other users which have the correct login credentials for a database can access that database, then you must install a separate server for each user.

 

This assumtion makes no sense at all, that's as if you say: All locks are insecure, you only need the right key to open it

 

Another way to phrase the original concern is, "even if I prohibit remote access, local access is still allowed," which of course makes perfect sense when stated that way.

What you want is effectively to limit which linux use can use a given mysql user; to my knowledge there is no way to restrict that within mysql, so any solutions would involve a separate mysql server for each website as @till said. Possibly you could find an sql relay to use which could enforce that? I haven't looked for one, but such a thing might exist.

 

MySQL and MariaDB have the following access restrictions:

1) Host or IP. All scripts and programs that run on the same server, share the same IP and host, that's why all websites on the same server can access a database when the other 3 parameters are correct.
2) database name.
3) Username.
4) password.

MySQL lets you log in to a database only if all 4 requirements match.

 

Not naive, simply a misunderstanding of what it does.

I've not exhaustively searched what all the field does, but in a quick look at adding database users and databases, the database user ties to a client, and a database is assigned to a website, and assigned a database user. With that you can enforce client limits, limit what database servers are available, automate the removal of databases when the website or the client is deleted, ensure only the correct client can display database usage or change info, etc. So it certainly does have a purpose, but creating and enforcing a new layer of permissions on top of what the database server itself provides is not it.

 

That's not related to database access permissions. The site has to be selected to be able to assign the database to the correct ISPConfig client and apply client limits like database size quota plus this automates the process to grant access to the right host system when you are in a multiserver system.

 

I would say that is common knowledge for IT administrators.

Then you should dig deeper into the topic and learn more about the technology behind the scenes when a php script on a web server connects to a database via a TCP/IP connection to understand why 'a tld' in an apache or nginx vhost file does not matter at all here when the websites are on the same server. I've explained already in post #2 what you have to do to achieve that kind of 'firewall' that you want to get, you need a dedicated server or virtual server with a dedicated database system on it for each website.

 

A quick search found one relay that you could probably use, http://sqlrelay.sourceforge.net/sqlrenterprise/modules/configure_mysql_frontend.html

It supports native mysql clients, but doesn't appear to match system user IDs, so you would just have to set it up so that each website had a dedicated port or socket location. The socket could be protected with regular filesystem permissions, or dedicated ports could be protected with iptables (I believe there is a module that matches the system user of the connections process). If course the actual mysql socket and/or port needs similarly protected so only sql relay can access it.

You would probably also want to disable the global phpmyadmin install.