What database privileges does a Wordpress Blog really need? - mysql

I am setting up a few Wordpress blog sites. I have created a user in mysql that wordpress will use to access its database. The docs say to give this user all privileges on the database.
Does it really need full privileges? I expect not, so does anyone know the min set of privileges that it really needs?

I'm no Wordpress expert, but I would recommend it does actually have all privileges apart from GRANT. It will need to be able to create tables and insert/update etc. Several plugins use their own tables, which they create on the fly if they do not exist.

I grant:
ALTER
CREATE
CREATE TEMPORARY TABLES
DELETE
DROP
INDEX
INSERT
LOCK TABLES
SELECT
UPDATE
Hope that helps anyone else that looks into this.

grant select, insert, delete, update, create, drop, alter on myblog

Related

Grant INSERT without having it

Grant INSERT without having it.
Suppose the following code snippet is executed every time a new manager is created (with different names for the database and user account each time, of course):
#Executed as root
CREATE DATABASE `Manager1Section`;
CREATE TABLE Manager1Data(`SomeData` INT);
CREATE USER 'Manager1'#'localhost' IDENTIFIED BY 'Something';
GRANT SELECT, INSERT, UPDATE, DELETE ON `Manager1Section`.`Manager1Data` TO 'Manager1'#'localhost';
GRANT CREATE, DROP ON `Manager1Section`.* TO 'Manager1'#'localhost';
GRANT CREATE USER ON *.* TO 'Manager1Section'#'localhost' WITH GRANT OPTION;
And the following code is executed every time a new intern is created (again, names substituted):
#Executed as manager
CREATE TABLE `Manager1Section`.`Intern1Data`(`Value` INT NOT NULL);
CREATE USER 'Intern1'#'localhost' IDENTIFIED BY 'Something';
GRANT SELECT, INSERT, UPDATE, DELETE ON `Manager1Section`.`Intern1Data` TO 'Intern1'#'localhost';
(Mind that this is just an example to show the hierarchical structure. I am not actually modeling a company's personnel structure.)
The manager manages a single database (Manager1Section in this example) and has a table to work with. The manager can only read and write to that table but not e.g. drop it. (Actually nevermind, I just realized that the manager can, in fact, drop the table. Not a big deal though.).
Each intern in this database also has a table to work with, and again, can only read and write to it but not drop it. Additionally, interns can only access their own tables, but not the manager's table and not other interns' tables.
And very importantly: The manager cannot read and write to interns' tables.
The above code would achieve this, but it is not valid. The last line in the second snippet fails. The manager does not have the SELECT, INSERT, UPDATE and DELETE privileges to interns' tables and therefore cannot grant those privileges to the interns. Changing the second-to-last line in the first snippet (GRANT CREATE, DROP ON `Manager1Section`.* TO 'Manager1'#'localhost';) to GRANT CREATE, DROP, SELECT, INSERT, UPDATE, DELETE ON `Manager1Section`.* TO 'Manager1'#'localhost'; makes that work but it also allows the manager to read and write to interns' tables, which I want to avoid.
How can I make the manager not able to read and write to interns' tables but still grant read and write privileges to interns?
Or alternatively: How can I avoid that problem altogether?
Only allowing users to grant privileges they already have is generally a good idea and my gut feeling tells me that my intended solution is not possible because the manager could circumvent the situation by creating a spoof intern account, executing GRANT SELECT, INSERT, UPDATE, DELETE ON `Manager1Section`.`Intern1Data` TO 'SpoofIntern'#'localhost'; (mind the mismatched user names) and then access the data through that account. But I could be missing something, so I am asking for ideas.

Grant users to create database with username

In phpmyadmin I want to grant users to create and delete databases but this access should be limited to a specific prefix.
My users have 3 different accounts on PhpMyAdmin: username_ro (for only reading), username_rw (for reading and writing) and username_admin (for creating other databases and tables into their account)
I want them to be able to create a database username_website but I don't want them to be able to create database theother_website. They should also be able to drop username_website but unable to drop theother_website
How can I do this with sql or PhpMyAdmin.
Thanks in advance.
With some trial and error I have found a solution. By doing this query I was able to create and drop database username_website but I wasn't able to create or drop database theother_clients
GRANT ALL PRIVILIGES
ON `username\_%`.*
TO 'username_admin'#'localhost';
PS. the query is a little edited. I changed the rights I actually gave with ALL PRIVILIGESand I changed the actual username with username.

Is there a database tool which shows a list of sql commands I have permission for?

I talked to the developer of HeidiSQL about it and he told me I can query it by "show grants" command of sql, but i don't understand the result set coming from it.
show grants // I execute query here
GRANT USAGE ON . TO 'fsdb1user1'#'%' IDENTIFIED BY PASSWORD
'something'
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP,
REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON
fsdb1.* TO 'fsdb1user1'#'%'
mysql documentation says
SHOW GRANTS displays only the privileges granted explicitly to the
named account. Other privileges might be available to the account, but
they are not displayed. For example, if an anonymous account exists,
the named account might be able to use its privileges, but SHOW GRANTS
will not display them.
I think there might be some software somewhere trying some queries and checks grants that way.
It appears that this user is allowed to do a lot. Here is actually a good reference on all of these http://dev.mysql.com/doc/refman/5.1/en/grant.html#grant-privileges.
The user in question can run SELECT, UPDATE, and DELETE queries. They can CREATE tables and databases. They can DROP tables, databases, and views. They can create and alter INDEXes. They can ALTER table structures. They can use CREATE TEMPORARY TABLE. And finally, they can LOCK TABLES that they have SELECT privileges on. In this case, the user can do this on any table in this database (fsdb1) and from any host.

mysql permissions needed to do a ALTER TABLE in database

grant LOCK TABLES, SELECT,ALTER,INSERT,CREATE ON `databasetoupgrade%`.* to 'someuser'#'localhost';
those are the privileges I gave a users that needs to be able to ALTER a table (add columns, ...)
the mysql documentation states that alter, insert, create is needed, but even with lock tables and select permissions, I still get the error that the user does not have enough permissions to do ALTER.
When I give the user all privileges on those tables/databases is works.
Does anyone know what the EXACT privileges are that I need to do ALTER? Of which one did I forget in the list above?
This post can be closed, this fixed it:
grant ALTER, LOCK TABLES, SELECT, INSERT, CREATE
I might have screwed up somewhere in my previous commands...
These grants now work fine (for backups) + ALTER command:
grant ALTER, LOCK TABLES, SELECT, INSERT, CREATE

How do I remove a MySQL database?

You may notice from my last question that a problem caused some more problems, Reading MySQL manuals in MySQL monitor?
My database is now unusable partly due to my interest to break things and my inability to look at error messages. I know that I should not reuse primary keys, but I would like to use them again after the removal of the database that I deteriorated. So
How can I correctly remove a MySQL database?
From the MySQL prompt:
mysql> drop database <db_name>;
If your database cannot be dropped, even though you have no typos in the statement and do not miss the ; at the end, enclose the database name in between backticks:
mysql> drop database `my-database`;
Backticks are for databases or columns, apostrophes are for data within these.
For more information, see this answer to Stack Overflow question When to use single quotes, double quotes, and backticks?.
If you are using an SQL script when you are creating your database and have any users created by your script, you need to drop them too. Lastly you need to flush the users; i.e., force MySQL to read the user's privileges again.
-- DELETE ALL RECIPE
drop schema <database_name>;
-- Same as `drop database <database_name>`
drop user <a_user_name>;
-- You may need to add a hostname e.g `drop user bob#localhost`
FLUSH PRIVILEGES;
Good luck!
drop database <db_name>;
FLUSH PRIVILEGES;
I needed to correct the privileges.REVOKE ALL PRIVILEGES ONlogs.* FROM 'root'#'root'; GRANT ALL PRIVILEGES ONlogs.* TO 'root'#'root'WITH GRANT OPTION;
For Visual Studio, in the package manager console:
drop-database
If you are working in XAMPP and your query of drop database doesn't work then you can go to the operations tag where you find the column (drop the database(drop)), click that button and your database will be deleted.