Different mysql username / password for installation and use

mromani · 2011-06-30 23:19:02

Hi,
I think the databse security can be increased slightly if one creates two mysql users, e.g. glpi_dba and glpi_app. The _dba user must have the create, drop, etc. (i.e. DDL statements) privileges on the glpi databse, whereas the _app one should only have the SELECT,UPDATE,INSERT,DELETE privileges.

Here are my steps to manually deploy this scenario:

in mysql, as root:
CREATE DATABASE glpi;
GRANT ALL PRIVILEGES ON glpi.* TO 'glpi_dba'@'localhost' IDENTIFIED BY <dba password>;
GRANT SELECT,UPDATE,INSERT,DELETE ON glpi.* TO 'glpi_app'@'localhost' IDENTIFYED BY <app password>;
FLUSH PRIVILEGES;

I then installed GLPI and gave the _dba username / password couple when requested, so the database could be initialized (i.e. tables created, etc.)

After verifying that everything was working as expected, I edited config/config_db.php and substituted the _dba username and password with the _app ones.

The glpi application works fine, while potentially dangerous DDL statements (which could be executed by SQL injection attacks, for example, or even by accidental disclosure of the config_db.php file contents) are prevented.

My 2 (euro) cents.

Any comments / suggestions / criticism welcome.

remi · 2011-07-01 07:43:38

Yes, it seems to be a good "dba" pratice.

Remember that plugins also need DDL statements during install / update, or (for some) even during normal use.
For example, reports (until 1.4.1, when a new report is detected, fixed/improved in 1.5.0), custom_fileds, ...

Forum GLPI-Project

Announcement

#1 2011-06-30 23:19:02

Different mysql username / password for installation and use

#2 2011-07-01 07:43:38

Re: Different mysql username / password for installation and use

Board footer