mrjasongorman

MySQL Permissions

5 posts in this topic

I'm just wondering exactly what MySQL permissions are required for ProcessWire? From a security point of view i would prefer to lock down the MySQL user that ProcessWire uses to the least amount of privileges needed.

I guess it's SELECT, INSERT, UPDATE, DELETE, but do any modules create additional indexes?

Any help on this would be great.

Share this post


Link to post
Share on other sites
42 minutes ago, Francesco Bortolussi said:

From what i saw ProcessWire need to CREATE tables and indexes too.

True

Share this post


Link to post
Share on other sites

Each new field must be able to create it's own table and corresponding indexes. Few modules do create own tables as well.

Share this post


Link to post
Share on other sites

Looking at the requirements i think these privileges should be enough?

Data: SELECT, INSERT, UPDATE, DELETE

Definition: CREATE, ALTER, DROP

Extra: INDEX

Similar to this requirement from Wordpress... http://wordpress.stackexchange.com/questions/6424/mysql-database-user-which-privileges-are-needed

Also points out a nice config conditional trick where by a higher privileged DB user is used in the admin area, and normal pages use lower privileges (possibly just SELECT).

Hope this helps keep ProcessWire setups even more secure.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Mirza
      I have built a system in processwire, which has more than 600K pages.
      A team of 40 people is using the system, DB is from AWS with 16GB Ram.
      But still, select queries are getting locked.
      It would be great if someone suggests how to solve this problem.
      Also note: We have around 48 fields in one template.
      Thanks in advance.


    • By rastographics
      With Microsoft Azure recently releasing proper Linux and native Mysql hosting, it is becoming very easy to get processwire hosted on that platform.
      By default, they force SSL connection to the managed Mysql server. This causes processwire to fail when trying to connect.
      I can turn off SSL for my MySql server, but I wish there was a $config setting like $config->useSSL = true that would allow processwire to include the appropriate property in the connection string (like ssl=true or whatever).
      Here is the Azure link that explains what I would like to do: https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security
      Am I missing this config setting somewhere? Or would it be easy to add? Thanks.
    • By Brian Scramlin
      Hey!
      Quick question, 
      Should I limit how many find() methods I use on a single page? Is it fairly resource-intensive?
      I am getting consistent 
      2006 MySQL server has gone away errors and have followed all the suggestions I can find, but wonder if I am just "overloading" my server resources with database requests or something like that?
      Thank you!
    • By kixe
      Today I have been running in mysql errors using @renobird s Module MarkupActivityLog which still uses mysqli Driver.
      @all developers
      Although mysqli is still supported PDO driver is the default database driver in PW since https://processwire.com/about/news/introducing-processwire-2.4/
      and its strongly recommend to all module authors to use/change-to PDO driver instead of mysqli.

      @renobird I have sent a pull request.
      A list of other affected modules not updated until now.
      (I try to keep them up to date. Please help)
      @apeisa ProcessTrashman, ProcessRedirects
      @netcarver ProcessDiagnostics
       
    • By robinc
      With any website, there is the possibility of db issues - overloaded server, network connectivity if the db is on another machine in the hosting network, etc.
      I would love to see a feature where if there is any reason the db fails or cannot be accessed, then pw displays a dedicated page that is stored in the filesystem - instead of displaying nothing, or an ugly mysql error. Obviously it would be good to log the error, and possibly send a notification to the admin (email?).
      This gives us the opportunity to still present a professional front (albeit with no functionality) while problems are resolved behind the scenes. I cannot think of a company I have worked for that hasn't had db errors at times
      What are your thoughts?