[drupal-devel] Re: drupal-devel Digest, Vol 34, Issue 65

Chris Johnson chris at tinpixel.com
Mon Oct 24 16:25:29 UTC 2005 

Allie Micka wrote:

> FWIW, The default value for MySQL's Create_tmp_table_priv is 'N'.


> Other hosting providers create administrative users and also site- 
> specific users with minimal permissions.  Odds are good that sites on  
> these hosts will throw errors.  We are in this category, and because  
> roughly 1/3 of all sites we host use Drupal, we added the LOCK TABLES  
> privilege to the list of site-user permissions.  Frankly, I'm not too  
> excited about adding yet another privilege to the list.

While it's annoying to have to add another permission, giving customers create 
temporary table privileges really ought to be fairly standard.  It poses no 
security threats and has no obvious downsides other than possibly allowing the 
customer to shoot themselves in the foot by filling their database quota in 
one more way (they can already insert data into existing tables to fill it, 
after all).  The upside is that intelligent clients and software will use 
temporary tables properly, and those tables will disappear when no longer 
needed instead of sitting around cluttering things up.

However, this is just another aspect of the problem with anyone developing 
Drupal making any kind of assumption about what "most" hosting providers' 
environments look like.  Drupal already assumes that the web server UID has 
write access to the file system, which is false at many hosting providers -- 
and at the providers where it is true, it is often an ignorant security 
oversight on the provider's part, not a carefully planned arrangement.

The problem is there is no one size that fits all.  Moreover, the more 
sophisticated the installation and operation of a piece of software, the more 
likely it is to collide with these hosting provider incompatibilities.  Most 
of the time we should aim for the least common denominator, but sometimes that 
is too low and we have to painfully choose to do things which will exclude or 
make difficult the use of Drupal at some few hosting providers.

--
chrisxj

More information about the drupal-devel mailing list