On Oct 23, 2005, at 8:01 PM, Gerhard Killesreiter wrote:
Frankly, I'm not too excited about adding yet another privilege to the list.

What is the problem with that permission? Use of storage space in /tmp?

Frankly?  Laziness. 

We're happy to give any privilege to any user based on a single customer's criteria.  But making a change that affects hundreds of current sites and setting a default that affects thousands of future sites is nontrivial.  It means lots of time sifting through security reports and understanding all of the benefits and implications of such a change.  This is especially challenging when you don't know the exact nature of each application on the host, and the best policy is to start with an absolute minimum set of privileges and loosen them only as required.

For example, there were security advisories for MySQL's CREATE TEMPORARY TABLE functionality earlier this year.  These are closed now, but not having that permission available to 100's of web apps during that window of opportunity was pretty handy.

Hosts will may spend the time on a question like this, which is expensive and unrewarding in a competitive marketplace.  Or they'll just effect the change or leave it entirely up to users and/or GRANT ALL, which is irresponsible.  Or they'll refuse, which leads to many drupal support questions (see http://drupal.org/search/node/lock+tables ) and an overall barrier for Drupal.

The benefits may outweigh the costs, but there will be costs.

Unrelated, are these temporary tables being dropped?  What happens when pconnect is in use?

Allie Micka
pajunas interactive, inc.
http://www.pajunas.com

scalable web hosting and open source strategies