[drupal-devel] Re: drupal-devel Digest, Vol 34, Issue 65

[Allie Micka]

On Oct 23, 2005, at 8:01 PM, Gerhard Killesreiter wrote:
>> Frankly, I'm not too excited about adding yet another privilege to  
>> the list.
>
> What is the problem with that permission? Use of storage space in / 
> tmp?

Frankly?  Laziness.

We're happy to give any privilege to any user based on a single  
customer's criteria.  But making a change that affects hundreds of  
current sites and setting a default that affects thousands of future  
sites is nontrivial.  It means lots of time sifting through security  
reports and understanding all of the benefits and implications of  
such a change.  This is especially challenging when you don't know  
the exact nature of each application on the host, and the best policy  
is to start with an absolute minimum set of privileges and loosen  
them only as required.

For example, there were security advisories for MySQL's CREATE  
TEMPORARY TABLE functionality earlier this year.  These are closed  
now, but not having that permission available to 100's of web apps  
during that window of opportunity was pretty handy.

Hosts will may spend the time on a question like this, which is  
expensive and unrewarding in a competitive marketplace.  Or they'll  
just effect the change or leave it entirely up to users and/or GRANT  
ALL, which is irresponsible.  Or they'll refuse, which leads to many  
drupal support questions (see http://drupal.org/search/node/lock 
+tables ) and an overall barrier for Drupal.

The benefits may outweigh the costs, but there will be costs.

Unrelated, are these temporary tables being dropped?  What happens  
when pconnect is in use?

Allie Micka
pajunas interactive, inc.
http://www.pajunas.com

scalable web hosting and open source strategies


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://drupal3.drupal.org/pipermail/development/attachments/20051024/8e22994f/attachment.htm