Database creation on Install
I apologize if this is not the appropriate place to ask this question but I am curious after checking out your fine development work. Why doesn't the Drupal Installation process try to create the database if it doesn't exist already? WordPress is the same. Joomla! will use the database if it exists - and create it, provided the ID has sufficient permissions. It's just another "make things easier" step (for both the "newbie" crowd, but also developers testing/working). I was curious if there were security concerns? Or, if it just never seemed to be someone's itch? Again, if I am out of place with this question, please let me know, and forgive my ignorance. Kind regards, Amy :)
This has not yet been attempted (I think) simply because most people do not install with a user with sufficient rights to create a database, and therefore there is no need for most people Please correct me if I'm wrong. Dmitri On Nov 13, 2008, at 9:17 PM, Amy Stephen wrote:
I apologize if this is not the appropriate place to ask this question but I am curious after checking out your fine development work.
Why doesn't the Drupal Installation process try to create the database if it doesn't exist already? WordPress is the same. Joomla! will use the database if it exists - and create it, provided the ID has sufficient permissions. It's just another "make things easier" step (for both the "newbie" crowd, but also developers testing/ working).
I was curious if there were security concerns? Or, if it just never seemed to be someone's itch?
Again, if I am out of place with this question, please let me know, and forgive my ignorance. Nope, this is the right place.
Kind regards, Amy :)
On 14-Nov-08, at 12:23 AM, Dmitri Gaskin wrote:
This has not yet been attempted (I think) simply because most people do not install with a user with sufficient rights to create a database, and therefore there is no need for most people
In most setups I've encountered, if you can CREATE DATABASE you can also DROP DATABASE. Not really something I want *any* Drupal install to be able to do :). I would actually suggest the other way around, and that if Drupal detects that it can do such things that it sets a warning, just like how it does if the permissions on settings.php are too lax. --Andrew
Andrew Berry wrote:
In most setups I've encountered, if you can CREATE DATABASE you can also DROP DATABASE. Not really something I want *any* Drupal install to be able to do :).
The feature requests suggested by Yannick is *just* about CREATE DATABASE, nothing about DROP... Just to annotate. Blessings!
The J! install works like this: 1 - if the database doesn't exist - it's created. 2 - if the database exists - and there are existing tables - .... a) the existing tables are backed up (default) .... b) the existing tables are dropped (you have to choose this option) The database is never dropped. On Tue, Nov 18, 2008 at 8:40 PM, Andrew Berry <andrewberry@sentex.net>wrote:
On 14-Nov-08, at 12:23 AM, Dmitri Gaskin wrote:
This has not yet been attempted (I think) simply because most people do
not install with a user with sufficient rights to create a database, and therefore there is no need for most people
In most setups I've encountered, if you can CREATE DATABASE you can also DROP DATABASE. Not really something I want *any* Drupal install to be able to do :).
I would actually suggest the other way around, and that if Drupal detects that it can do such things that it sets a warning, just like how it does if the permissions on settings.php are too lax.
--Andrew
Le mardi 18 novembre 2008 à 21:40 -0500, Andrew Berry a écrit :
On 14-Nov-08, at 12:23 AM, Dmitri Gaskin wrote:
This has not yet been attempted (I think) simply because most people do not install with a user with sufficient rights to create a database, and therefore there is no need for most people
In most setups I've encountered, if you can CREATE DATABASE you can also DROP DATABASE. Not really something I want *any* Drupal install to be able to do :).
Considering Drupal is open-source and, as such, its database structure is pretty much public, I can't see much difference in the results between a "DROP DATABASE x" and several "DELETE FROM TABLE x" ...and I'm pretty sure Drupal needs a delete permission for most tables. Yannick
On Friday 14 November 2008 07:17:39 Amy Stephen wrote:
I apologize if this is not the appropriate place to ask this question but I am curious after checking out your fine development work.
Why doesn't the Drupal Installation process try to create the database if it doesn't exist already? WordPress is the same. Joomla! will use the database if it exists - and create it, provided the ID has sufficient permissions. It's just another "make things easier" step (for both the "newbie" crowd, but also developers testing/working).
I was curious if there were security concerns? Or, if it just never seemed to be someone's itch?
Again, if I am out of place with this question, please let me know, and forgive my ignorance.
Kind regards, Amy :)
becouse many of the hostings do not allow creating db from php-scripts.
dmitry danilevsky wrote:
On Friday 14 November 2008 07:17:39 Amy Stephen wrote:
I apologize if this is not the appropriate place to ask this question but I am curious after checking out your fine development work.
Why doesn't the Drupal Installation process try to create the database if it doesn't exist already? WordPress is the same. Joomla! will use the database if it exists - and create it, provided the ID has sufficient permissions. It's just another "make things easier" step (for both the "newbie" crowd, but also developers testing/working).
I was curious if there were security concerns? Or, if it just never seemed to be someone's itch?
Again, if I am out of place with this question, please let me know, and forgive my ignorance.
Kind regards, Amy :)
If they already why don't we do?...
becouse many of the hostings do not allow creating db from php-scripts.
Consider there are lots of people working with a local copy, hostings are just an scenario but we can't just *cut* others without a good reason. Blessings!
There are also security reasons. It's not good for Apache to have such powerful permissions. It raises the stakes on security. Ultimately the easiest installer is operated outside of the Apache user. Laura On Nov 13, 2008, at 11:29 PM, Fernando P. García wrote:
dmitry danilevsky wrote:
On Friday 14 November 2008 07:17:39 Amy Stephen wrote:
I apologize if this is not the appropriate place to ask this question but I am curious after checking out your fine development work.
Why doesn't the Drupal Installation process try to create the database if it doesn't exist already? WordPress is the same. Joomla! will use the database if it exists - and create it, provided the ID has sufficient permissions. It's just another "make things easier" step (for both the "newbie" crowd, but also developers testing/working).
I was curious if there were security concerns? Or, if it just never seemed to be someone's itch?
Again, if I am out of place with this question, please let me know, and forgive my ignorance.
Kind regards, Amy :)
If they already why don't we do?...
becouse many of the hostings do not allow creating db from php- scripts.
Consider there are lots of people working with a local copy, hostings are just an scenario but we can't just *cut* others without a good reason.
Blessings! <fernandoparedesgarcia.vcf>
Drupal installers which automatically create databases are available. For an example, see http://packages.debian.org/etch-backports/drupal5. On Nov 14, 2008, at 12:19 PM, Laura Scott wrote:
There are also security reasons. It's not good for Apache to have such powerful permissions. It raises the stakes on security. Ultimately the easiest installer is operated outside of the Apache user.
Laura
Caveat: They are almost always out of date. After installation, you would want to immediately do security updates. http://drupal.org/security Note also that some installers do not play well with manual modification of code/module installs after the fact. Laura On Nov 14, 2008, at 10:29 AM, Darren Oh wrote:
Drupal installers which automatically create databases are available. For an example, see http://packages.debian.org/etch-backports/drupal5 .
On Nov 14, 2008, at 12:19 PM, Laura Scott wrote:
There are also security reasons. It's not good for Apache to have such powerful permissions. It raises the stakes on security. Ultimately the easiest installer is operated outside of the Apache user.
Laura
Thanks, Darren, I'll take a look at that, with Laura's advice on currency in mind. On Fri, Nov 14, 2008 at 11:29 AM, Darren Oh < darrenoh@sidepotsinternational.com> wrote:
Drupal installers which automatically create databases are available. For an example, see http://packages.debian.org/etch-backports/drupal5.
On Nov 14, 2008, at 12:19 PM, Laura Scott wrote:
There are also security reasons. It's not good for Apache to have such
powerful permissions. It raises the stakes on security. Ultimately the easiest installer is operated outside of the Apache user.
Laura
It would have to be a powerful user, like root (w00t!) or a user that has MySQL create database authority. PHP is simply creating a pipe to MySQL - through Apache - but it is the MySQL user credentials that would allow or prohibit this action. It's a nice-ity for local development, although not a show stopper in any sense. If the local user doesn't have authority, it would error out in a manner similar to how the install errors now. But, I could be way off base here. Thanks for everyone's response. :-) On Fri, Nov 14, 2008 at 11:19 AM, Laura Scott <pinglaura@gmail.com> wrote:
There are also security reasons. It's not good for Apache to have such powerful permissions. It raises the stakes on security. Ultimately the easiest installer is operated outside of the Apache user.
Laura
On Nov 13, 2008, at 11:29 PM, Fernando P. García wrote:
dmitry danilevsky wrote:
On Friday 14 November 2008 07:17:39 Amy Stephen wrote:
I apologize if this is not the appropriate place to ask this question
but I am curious after checking out your fine development work.
Why doesn't the Drupal Installation process try to create the database if it doesn't exist already? WordPress is the same. Joomla! will use the database if it exists - and create it, provided the ID has sufficient permissions. It's just another "make things easier" step (for both the "newbie" crowd, but also developers testing/working).
I was curious if there were security concerns? Or, if it just never seemed to be someone's itch?
Again, if I am out of place with this question, please let me know, and forgive my ignorance.
Kind regards, Amy :)
If they already why don't we do?...
becouse many of the hostings do not allow creating db from php-scripts.
Consider there are lots of people working with a local copy, hostings are just an scenario but we can't just *cut* others without a good reason.
Blessings! <fernandoparedesgarcia.vcf>
Le jeudi 13 novembre 2008 à 23:17 -0600, Amy Stephen a écrit :
I apologize if this is not the appropriate place to ask this question but I am curious after checking out your fine development work.
Why doesn't the Drupal Installation process try to create the database if it doesn't exist already? WordPress is the same. Joomla! will use the database if it exists - and create it, provided the ID has sufficient permissions. It's just another "make things easier" step (for both the "newbie" crowd, but also developers testing/working).
I was curious if there were security concerns? Or, if it just never seemed to be someone's itch?
Although the thread is kind of closed, I'd like to back this as a feature request, considering testing if the database exists and trying to create it doesn't even have to be visible to the final user, and would be a nice improvement to the installer's usability. Something like: $create = @mysql_query('CREATE DATABASE ...'); if ( $create === false ) { // ask } else { // all good, go to next step } Anyway, for what it's worth, I'm just saying I think it's a good idea. Yannick
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think a good way to do this could be let the user specify *also* an administrative database account to be used *only* during the installation, to create database / user.. then, once installed stuff that required super-user access, privileges will be dropped and the "normal" user will be used. what do you think? best regards - -- ~ ~redShadow~ - ilSAMU - ---------------------------------------------------------------- ~ * redshadow[at]hackzine.org ~ * redshadowhack[at]gmail.com ~ * samu[at]comolakerovers.net ~ * http://hackzine.org ~ * http://doku.hackzine.org ~ * http://comolakerovers.net - ---------------------------------------------------------------- ~ "[A-Za-z0-9\-_]*\\[at\\][A-Za-z0-9\-_]*\\[dot\\][a-zA-Z]*" - ---------------------------------------------------------------- ~ GPG Key signature: ~ 050D 3E9F 6E0B 44CE C008 D1FC 166C 3C7E EB26 4933 - ---------------------------------------------------------------- ~ Registered Linux-User: #440008 ~ GENTOO User since 1/1/2008 - ex DEBIAN SID user - ---------------------------------------------------------------- ~ "Software is like sex: it's better when it's free!" ~ -- Linus Torvalds -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklmRY8ACgkQFmw8fusmSTMrSgCbBVVDRpIzFdkrV471y1PlEoSf WdoAoN2TSODznY6pZypfLvOcRKNBxdFF =xVWx -----END PGP SIGNATURE-----
MediaWiki does that although it's not exactly a clear UI. I think it's a great idea. We'd have to do a better job on the UI for that. stew On Thu, Jan 8, 2009 at 6:27 PM, ~redShadow~ <redshadow@hackzine.org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I think a good way to do this could be let the user specify *also* an administrative database account to be used *only* during the installation, to create database / user.. then, once installed stuff that required super-user access, privileges will be dropped and the "normal" user will be used. what do you think?
best regards
- -- ~ ~redShadow~ - ilSAMU - ---------------------------------------------------------------- ~ * redshadow[at]hackzine.org ~ * redshadowhack[at]gmail.com ~ * samu[at]comolakerovers.net ~ * http://hackzine.org ~ * http://doku.hackzine.org ~ * http://comolakerovers.net - ---------------------------------------------------------------- ~ "[A-Za-z0-9\-_]*\\[at\\][A-Za-z0-9\-_]*\\[dot\\][a-zA-Z]*" - ---------------------------------------------------------------- ~ GPG Key signature: ~ 050D 3E9F 6E0B 44CE C008 D1FC 166C 3C7E EB26 4933 - ---------------------------------------------------------------- ~ Registered Linux-User: #440008 ~ GENTOO User since 1/1/2008 - ex DEBIAN SID user - ---------------------------------------------------------------- ~ "Software is like sex: it's better when it's free!" ~ -- Linus Torvalds -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAklmRY8ACgkQFmw8fusmSTMrSgCbBVVDRpIzFdkrV471y1PlEoSf WdoAoN2TSODznY6pZypfLvOcRKNBxdFF =xVWx -----END PGP SIGNATURE-----
participants (10)
-
"Fernando P. García" -
Amy Stephen -
Andrew Berry -
Darren Oh -
Dmitri Gaskin -
dmitry danilevsky -
Laura Scott -
Stewart Robinson -
Yannick Warnier -
~redShadow~