On 26 Apr 2005, at 3:51 PM, Andrew Cohill wrote:
On Apr 26, 2005, at 4:27 PM, Paul Greene wrote:
Between your comments, and a "MySQL in 24 Hours" book, I got the databases created, and added a couple of user accounts; one with full privileges, and one with select and insert (is select and insert enough privileges to give a regular user?).
The user associated with the Drupal database will require update and delete privileges as well, I think, at a minimum. Someone closer to the database could probably give a more definitive answer.
I've set up numerous Drupal sites, and have never created more than one user (with full privileges). That's all you will ever need if you are just running Drupal.
This is probably dangerous, from a separation of privileges perspective. The point is that if your Drupal installation is compromised, then the attacker could at a minimum drop your database, and in fact create much more havoc by an escalation of privileges attack of the type which just forced the recent security upgrade of MySQL (You have upgraded, haven't you?)
In fact, it would be best to limit delete, insert, update privileges to tables that actually need to have rows deleted, inserted, updated by Drupal. That way, even if Drupal is cracked, at worst your content will be destroyed or defaced. Of course you should have regular backups :)
Andrew
Regards, Djun