[drupal-devel] Re: drupal-devel Digest, Vol 34, Issue 65
chris at tinpixel.com
Mon Oct 24 16:25:29 UTC 2005
Allie Micka wrote:
> FWIW, The default value for MySQL's Create_tmp_table_priv is 'N'.
> Other hosting providers create administrative users and also site-
> specific users with minimal permissions. Odds are good that sites on
> these hosts will throw errors. We are in this category, and because
> roughly 1/3 of all sites we host use Drupal, we added the LOCK TABLES
> privilege to the list of site-user permissions. Frankly, I'm not too
> excited about adding yet another privilege to the list.
While it's annoying to have to add another permission, giving customers create
temporary table privileges really ought to be fairly standard. It poses no
security threats and has no obvious downsides other than possibly allowing the
customer to shoot themselves in the foot by filling their database quota in
one more way (they can already insert data into existing tables to fill it,
after all). The upside is that intelligent clients and software will use
temporary tables properly, and those tables will disappear when no longer
needed instead of sitting around cluttering things up.
However, this is just another aspect of the problem with anyone developing
Drupal making any kind of assumption about what "most" hosting providers'
environments look like. Drupal already assumes that the web server UID has
write access to the file system, which is false at many hosting providers --
and at the providers where it is true, it is often an ignorant security
oversight on the provider's part, not a carefully planned arrangement.
The problem is there is no one size that fits all. Moreover, the more
sophisticated the installation and operation of a piece of software, the more
likely it is to collide with these hosting provider incompatibilities. Most
of the time we should aim for the least common denominator, but sometimes that
is too low and we have to painfully choose to do things which will exclude or
make difficult the use of Drupal at some few hosting providers.
More information about the drupal-devel