Topic on Project:Support desk

MySQL/MariaDB database user privileges

4
Jonathan3 (talkcontribs)

A summary of Topic:Vxp20ag9d6zw5qeo from a year ago is that, despite the Manual:Installing MediaWiki (and other) instructions saying to GRANT ALL PRIVILEGES to the (normal) user, it is better to:

  1. For the normal user, just grant SELECT, INSERT, UPDATE, LOCK TABLES and DELETE.
  2. Create an admin user, with less than ALL privileges, and set Manual:$wgDBadminuser.

My questions are (2 and 3 are new):

  1. Is the above still the correct advice for the normal user? (I didn't forgot to do anything about it last year!)
  2. Are there any extensions that would require more than the above (e.g. Cargo, DPL3, External Data, ReplaceText...)
  3. Which exact privileges should the admin user be granted?

Thanks.

Bawolff (talkcontribs)

1. Generally yes - its more secure to grant less privs.


The key privs to restrict are SUPER and FILE which are very dangerous, but the more locked down the better.

2. Yes. Most don't but i think cargo and SMW require more

3. At the very least, privs to create tables, create indexes, and alter tables. There might be others but those are what comes to mind.

Generally you can go restricted, wait for errors, and add things as neccesary.

Jonathan3 (talkcontribs)
Ciencia Al Poder (talkcontribs)

My database user has only SELECT,INSERT,UPDATE,DELETE privileges on all objects of the wiki database, while the admin one has all privileges. We don't use Cargo, SMW nor other extensions that would require further privileges.

Reply to "MySQL/MariaDB database user privileges"