Page MenuHomePhabricator
Create Task
Maniphest T193552

Make installer grant only needed rights to db user
Open, LowPublic
Actions

Description

Currently, if the installer creates a user, it does

GRANT ALL PRIVILEGES ON $dbAllTables TO $name;

Instead we should:

  • Create separate users for $wgDBAdminUser and $wgDBUser

For the normal user we should grant only

  • DELETE
  • SELECT
  • INSERT
  • UPDATE
  • REPLICATION CLIENT

For the DBAdminUser we should grant the normal one's plus:

  • ALTER
  • CREATE
  • DROP
  • INDEX
  • LOCK TABLES
  • REFERENCES (forward compatibility)
  • TRIGGER (forward compatibility)

[I'm not 100% sure this list is enough]

Note: Doing this may cause compat issues with some extensions (e.g. SMW, Cargo) maybe.

See also https://www.mediawiki.org/w/index.php?title=Topic:Uc949fv6nue6suiq&topic_showPostId=ucbqknoxgxzox8k1#flow-post-ucbqknoxgxzox8k1

Additionally, https://www.mediawiki.org/wiki/Manual:Installing_MediaWiki#MariaDB/MySQL would need to be updated.

Event Timeline

Bawolff created this task.May 1 2018, 7:33 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 1 2018, 7:33 PM
Bawolff updated the task description. (Show Details)May 1 2018, 7:37 PM
Kghbln subscribed.May 1 2018, 9:48 PM
Kghbln added a comment.May 2 2018, 8:32 AM

@Bawolff Thanks a lot for creating this task and providing details.

Semantic MediaWiki additionally needs CREATE TEMPORARY TABLES for the admin user. Moreover it [[ https://github.com/SemanticMediaWiki/SemanticMediaWiki/pull/2968 | will support $wgDBAdminUser ]] starting with version 3.0.0.

Vvjjkkii renamed this task from Make installer grant only needed rights to db user to vudaaaaaaa.Jul 1 2018, 1:13 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii added projects: CheckUser, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), Tamil-Sites, Gamepress, Hashtags, Jade, KartoEditor, Language-2018-Apr-June, New-Editor-Experiences, Mail, TCB-Team (now WMDE-TechWish).
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.
CommunityTechBot renamed this task from vudaaaaaaa to Make installer grant only needed rights to db user.Jul 1 2018, 1:33 PM
CommunityTechBot updated the task description. (Show Details)
CommunityTechBot removed projects: TCB-Team (now WMDE-TechWish), Mail, New-Editor-Experiences, Language-2018-Apr-June, KartoEditor, Jade, Hashtags, Gamepress, Tamil-Sites, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), CheckUser.
CommunityTechBot added a subscriber: Aklapper.
CommunityTechBot raised the priority of this task from High to Needs Triage.Jul 3 2018, 1:55 AM
Bawolff triaged this task as Low priority.Jul 9 2018, 9:24 PM
mhoran subscribed.Apr 19 2019, 5:37 PM
Aklapper removed a project: Security-Core.Nov 27 2019, 12:42 PM
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL