How to configure PhpMyAdmin to prevent users from modifying other user settings in the `phpmyadmin` table?

Question

I would like to allow multiple configurations of PhpMyAdmin depending on users, but I cannot figure out how to protect users from having their configuration changed by others.

I need to give them the rights to the phpmyadmin db, but that would be too much. All the solutions I could think of are problematic:

Solution 1: Force a UI where the phpmyadmin db is hidden, and where access to the "Settings" tab is forbidden by the "User group" definition.

Problem: Since the SQL Query Console cannot be hidden, then a user can still connect to phpmyadmin db and make changes using command line.

Solution 2: Let the user create all the tables of pma in a dedicated db with his own name.

Problem: PhpMyAdmin does not seem to access this, since the config.inc.php states that all the pma tables should be in a db called "phpmyadmin".

What to do to be perfectly safe?

Thanks.

Answer 1

I need to give them the rights to the phpmyadmin db

Why? This isn't a requirement of phpMyAdmin when you're using a controluser account, so as far as phpMyAdmin is concerned there is no need for your individual users to have access to the 'phpmyadmin' database.

Within phpMyAdmin, the user accounts and configuration are tracked separately, so as long as you configure the user accounts to not have permission for the phpmyadmin database, any user can change their own preferences but not affect other users.

See also the documentation at https://docs.phpmyadmin.net/en/latest/setup.html#phpmyadmin-configuration-storage

I suggest that, in keeping with standard security best practices, for each user you grant only the permissions they need — which will not include access on the phpmyadmin database. Using the controluser account will allow phpMyAdmin to manage the user preferences without granting the users access to modify or change other user's preferences.

That should accomplish what you've asked for here.