Currently, if the installer creates a user, it does
GRANT ALL PRIVILEGES ON $dbAllTables TO $name;
Instead we should:
- Create separate users for $wgDBAdminUser and $wgDBUser
For the normal user we should grant only
- DELETE
- SELECT
- INSERT
- UPDATE
- REPLICATION CLIENT
For the DBAdminUser we should grant the normal one's plus:
- ALTER
- CREATE
- DROP
- INDEX
- LOCK TABLES
- REFERENCES (forward compatibility)
- TRIGGER (forward compatibility)
[I'm not 100% sure this list is enough]
Note: Doing this may cause compat issues with some extensions (e.g. SMW, Cargo) maybe.
Additionally, https://www.mediawiki.org/wiki/Manual:Installing_MediaWiki#MariaDB/MySQL would need to be updated.