[drupal-devel] Re: drupal-devel Digest, Vol 34, Issue 65
allie at pajunas.com
Mon Oct 24 15:13:59 UTC 2005
On Oct 23, 2005, at 8:01 PM, Gerhard Killesreiter wrote:
>> Frankly, I'm not too excited about adding yet another privilege to
>> the list.
> What is the problem with that permission? Use of storage space in /
We're happy to give any privilege to any user based on a single
customer's criteria. But making a change that affects hundreds of
current sites and setting a default that affects thousands of future
sites is nontrivial. It means lots of time sifting through security
reports and understanding all of the benefits and implications of
such a change. This is especially challenging when you don't know
the exact nature of each application on the host, and the best policy
is to start with an absolute minimum set of privileges and loosen
them only as required.
For example, there were security advisories for MySQL's CREATE
TEMPORARY TABLE functionality earlier this year. These are closed
now, but not having that permission available to 100's of web apps
during that window of opportunity was pretty handy.
Hosts will may spend the time on a question like this, which is
expensive and unrewarding in a competitive marketplace. Or they'll
just effect the change or leave it entirely up to users and/or GRANT
ALL, which is irresponsible. Or they'll refuse, which leads to many
drupal support questions (see http://drupal.org/search/node/lock
+tables ) and an overall barrier for Drupal.
The benefits may outweigh the costs, but there will be costs.
Unrelated, are these temporary tables being dropped? What happens
when pconnect is in use?
pajunas interactive, inc.
scalable web hosting and open source strategies
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the drupal-devel