Can I revoke some database privileges from MediaWiki after installation? - mysql

I've just installed MediaWiki on a web server. Obviously it needs lots of privileges during installation to set up its database correctly. Now that it's installed can I safely revoke some privileges (e.g. create table, drop table?) Or might it need to create more tables later (when they are first needed?) If not then I would prefer to grant it as few privileges as possible.

After the installation, MediaWiki doesn't need to create any more tables. I'd suggest giving the user insert, select, and lock permission.
grant select,lock tables,insert on media_wiki_db.* to 'wiki'#'localhost' identified by 'password';

Change the user that mediawiki connects as in LocalSettings.php and then using phpMyAdmin, you can edit the privileges of that user (that is, if you aren't comfortable granting and revoking privileges from the mysql console).
http://www.phpmyadmin.net/home_page/index.php

Related

MySQL Permission for performing backup

What are the minimum required permissions for a mysql user to perform a backup using mysqldump/xtrabackup? I do not want permissions to power like root, but just enough to perform a backup. This is becasue innobackupex requires you to add the password on command line, which is not too secure. So i would like to create another user with not so much privileges to be used.
On MySQL this would be these permissions as far as I know:
GRANT SELECT, LOCK TABLES, RELOAD, SHOW VIEW ON *.* TO 'user'#'localhost' IDENTIFIED BY 'password';
Note that it may vary if you use views, functions, procedures etc

Website connecting to database but not reading any data

I have four websites, each of which were being accessed with a singular username/password which had privileges on all of the databases.
However, for security reasons, I've finally set up a new user for each site, with each user only having access to the necessary database. Here is the code that I used to create the user and grant privileges for one particular database -
CREATE USER 'wedding1'#'localhost' IDENTIFIED BY 'somepass';
GRANT ALL PRIVILEGES ON wedding1.localhost TO 'wedding1'#'localhost';
However, when I log in to PHPMyAdmin using the credentials for the user I just created, the database is shown as expected but none of the tables are listed.
No entries are placed in my logs and I have tried to FLUSH PRIVILEGES;
Am I missing something from the above lines that could be causing this behaviour? Thanks.
You only granted privileges on a table called localhost within wedding1 DB. I am guessing this is not what you want. Change your grant statement as follows:
GRANT ALL PRIVILEGES ON wedding1.* TO 'wedding1'#'localhost';

How allow only one user to access a database?

I want to code an application which, when it runs for the first time on a user's machine, will create a new database, then create a new user and grant it access to the database.
I can manage that, but I want only that user and no other to be able to access the database.
So, just in case the existing installation has superuser where root has access to everything, I would like to revoke for all but the newly created user.
How do I do that?
I am guessing something like
REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysql.user WHERE user<>[single user name] but can't seem to get it right.
I guess that I have to FLUSH PRIVILEGES afterwards?
You can ONLY give privileges to access database for your user - using GRANT command.
All other users, except root users, should not have such privileges.
Do you need to run FLUSH PRIVILEGES after GRANT/REVORE? No, you do not need. That is all)

MySQL database level credentials

Is it possible to have database level credentials for MySQL?
In our current system we have multiple databases in one database server, if we connect to the server using any tool we can see all databases in that server, to have more secure system.
Can we have credentials for each database.
You can't have credentials for databases. But you can have credentials for created users and grant/restrict access to any tables/databases according your policy.
create user
grant
priviledges
Yes, absolutely, you can set up access privileges on per-database basis. In fact, MySQL allows very fine-grained privileges down to table and even column level. E.g.:
-- Creates a user
GRANT USAGE ON *.* TO 'username'#'hostname' IDENTIFIED BY PASSWORD '*SOMEPASSWORD';
-- Gives the user access to a single database `database_name`
GRANT SELECT, INSERT, UPDATE, DELETE ON `database_name`.* TO 'username'#'hostname';
You probably want to read more about GRANT syntax and MySQL privileges.
Worth adding, that you are allowed to have usernames identical to database names.

What permission is required for a MySQL user to create a database?

Is it possible for a user other than root to create a database?
GRANT SELECT, CREATE ON *.* TO 'myguy'#'thatmachine' IDENTIFIED BY PASSWORD '*12057DFA2BFBD8760D4788735B1C3E26889D7ECE' |
GRANT ALL PRIVILEGES ON `db1`.* TO 'myguy'#'thatmachine'
GRANT ALL PRIVILEGES ON `db2`.* TO 'myguy'#'thatmachine'
I wonder what privilege is missing here? Also, why does the first line have a password attached to it?
UPDATE
Let me further clarify what the point of my question is. I have two database machines, source and target. There are many customer databases on the source machine. I need to move those source databases to the other target machine.
The databases are in the form of mysqldump'ed .sql files, which are sftp'd from source to target. Target user, not root, must then recreate the databases locally from each .sql file, perform some actions, then drop the database.
I can't find a way to give these privileges to the target user without giving him global privileges on *.*, which effectively makes that user as dangerous as root.
Absolutely you can.
http://dev.mysql.com/doc/refman/5.1/en/privileges-provided.html#priv_create
As Izkata and Evan Donovan have mentioned in the comments, the best way to achieve this is to give myguy all privileges on the database myguy_%.
You can do this with the following sql:
grant all privileges on 'myguy_%'.* to myguy#localhost identified by 'password';
This way you don't have to bother with other existing databases, and myguy is able to create new databases to his heart's content.
The password field is what that particular user's password is when logging into MySQL itself. I'm not exactly sure what you mean when you say you wonder what privileges are missing. What exactly are you trying to do?