[drupal-support] Installation issues
puregin
puregin at puregin.org
Wed Apr 27 01:22:42 UTC 2005
On 26 Apr 2005, at 3:51 PM, Andrew Cohill wrote:
>
> On Apr 26, 2005, at 4:27 PM, Paul Greene wrote:
>>
>>
>> Between your comments, and a "MySQL in 24 Hours" book, I got the
>> databases created, and added a couple of user accounts; one with full
>> privileges, and one with select and insert (is select and insert
>> enough privileges to give a regular user?).
>>
The user associated with the Drupal database will require update
and
delete privileges as well, I think, at a minimum. Someone closer to
the database could probably give a more definitive answer.
>
> I've set up numerous Drupal sites, and have never created more than one
> user (with full privileges). That's all you will ever need if you are
> just running Drupal.
This is probably dangerous, from a separation of privileges
perspective.
The point is that if your Drupal installation is compromised, then the
attacker could at a minimum drop your database, and in fact create
much more havoc by an escalation of privileges attack of the type
which just forced the recent security upgrade of MySQL (You have
upgraded, haven't you?)
In fact, it would be best to limit delete, insert, update
privileges to tables that
actually need to have rows deleted, inserted, updated by Drupal. That
way,
even if Drupal is cracked, at worst your content will be destroyed or
defaced.
Of course you should have regular backups :)
> Andrew
>
Regards, Djun
More information about the drupal-support
mailing list