You are not logged in.
Hi,
I think the databse security can be increased slightly if one creates two mysql users, e.g. glpi_dba and glpi_app. The _dba user must have the create, drop, etc. (i.e. DDL statements) privileges on the glpi databse, whereas the _app one should only have the SELECT,UPDATE,INSERT,DELETE privileges.
Here are my steps to manually deploy this scenario:
in mysql, as root:
CREATE DATABASE glpi;
GRANT ALL PRIVILEGES ON glpi.* TO 'glpi_dba'@'localhost' IDENTIFIED BY <dba password>;
GRANT SELECT,UPDATE,INSERT,DELETE ON glpi.* TO 'glpi_app'@'localhost' IDENTIFYED BY <app password>;
FLUSH PRIVILEGES;
I then installed GLPI and gave the _dba username / password couple when requested, so the database could be initialized (i.e. tables created, etc.)
After verifying that everything was working as expected, I edited config/config_db.php and substituted the _dba username and password with the _app ones.
The glpi application works fine, while potentially dangerous DDL statements (which could be executed by SQL injection attacks, for example, or even by accidental disclosure of the config_db.php file contents) are prevented.
My 2 (euro) cents.
Any comments / suggestions / criticism welcome.
Offline
Yes, it seems to be a good "dba" pratice.
Remember that plugins also need DDL statements during install / update, or (for some) even during normal use.
For example, reports (until 1.4.1, when a new report is detected, fixed/improved in 1.5.0), custom_fileds, ...
Dév. Fedora 29 - PHP 5.6/7.0/7.1/7.2/7.3/7.4 - MariaDB 10.3 - GLPI master
Certifié ITILv3 - RPM pour Fedora, RHEL et CentOS sur https://blog.remirepo.net/
Offline