[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Re: MySql

Subject: Re: [cobalt-users] Re: MySql
From: jens@xxxxxxxxxxxxxxxxxxxx (Jens Kristian Søgaard)
Date: Tue Jan 9 12:29:01 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Brent Sims <brent@xxxxxxxxxxx> writes:

> }  the run GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,REFERENCES,DROP,INDEX,ALTER
> }  ON userdatabase.* TO 'username'@'domain.com' IDENTIFIED BY 'password

> 	No insult intended or implied, keep on helping but this
> is a very very - EXTREMELY bad idea. MySQL DROP priviliges are
> server wide, that is, any user with DROP priviliges can DROP any
> database on that server, including the database in which MySQL
> privledges are stored. While not nearly as easily abused, good

This is NOT correct. The context for the DROP privilege is clearly
stated in the GRANT command.

In the example above, the user will only be able to drop TABLES within
the userdatabase database.

I.e. he can only delete his own data. This is correct!

> MySQL Admins are very careful about who they grant GRANT, ALTER,
> FILE, SHUTDOWN and PROCESS priviliges to as they too can easy and
> will be used against you.

I agree, that you do not give FILE, SHUTDOWN or PROCESS privileges to
anyone else than co-sysadmins.

The GRANT privileges is in a "grey-zone", it can be usefull - and it
can be used "against" the sys-admins intentions (i.e. users sharing
their privileges among them).

I however see no problem giving out the ALTER privilege on a specific
database to a user. This will enable the user to "correct" a table
(i.e. correct a spelling error, add a new column if needed, etc.). 

> 	This is all clearly explained in the "Privileges provided by
> MySQL" section of the MySQL user manual. If you are going to run a
> MySQL server that can be accessed by users my opinion is that you
> really ought to at least think about reading the entire section
> mentioned above very carefully, at least twice, before you even
> think of putting that server on line.

Well, I would suggest that you reread the whole privileges chapter of
the manual. You seem to have missed the very important keyword
_context_. 

The context that you give the privilege in, decides whether a DROP
privilege means being able to drop tables, your own database or ALL
databases.

-- 
Jens Kristian Søgaard, Mermaid Consulting I/S,
jens@xxxxxxxxxxxxxxxxxxxx,
http://www.mermaidconsulting.com/
* We offer traffic statistics software for RaQs

References:
- Re: [cobalt-users] Re: MySql
  - From: Brent Sims

Prev by Date: Re: [cobalt-users] RaQ3 or Raq4 - how can I tell?
Next by Date: [cobalt-users] Xfree86 on RaQ3
Previous by thread: Re[2]: [cobalt-users] Re: MySql
Next by thread: Re: [cobalt-users] MySql

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index