These are (of course) essential to this software.Code:
-- Basic permissions for phpbb userGRANT SELECT, INSERT, DELETE, UPDATE
Not used at all - since phpBB wants to support multiple DBMSs (and not just MySQL/MariaDB) it neither uses stored procedures, nor views, nor indirect tables.Code:
CREATE TEMPORARY TABLES, EXECUTEGRANT CREATE VIEW
Creating/deleting custom profile fields adds/drops table columns.Code:
ALTER
Other than that migrating from a different software to phpBB creates a new table, too, but this only happens once when installing.
No view usage at all.Code:
SHOW VIEW
Installing CAPTCHA plugins and activating Sphinx as search engine creates whole new tables.Code:
CREATE
Not used: triggers are most likely not supported by all DBMSs and (declarational) foreign key references don't exist, since phpBB wouldn't want any cascading actions/restrictions either.Code:
TRIGGER, REFERENCES
You got that already in your firstCode:
UPDATE
GRANT.This is used for MySQL and PostgreSQL when activating the superior DBMS specific board search indices.Code:
INDEX
At no time any table is deleted (and views aren't used to begin with). However:Code:
GRANT DROP
TRUNCATE TABLE is used for creating the search indices.Yes: none of this is needed.Code:
REVOKE CREATE USER, EVENT, SUPER, RELOAD, FILE, SHOW DATABASES, SHUTDOWN, REPLICATION CLIENT, GRANT OPTION, PROCESS, REPLICATION SLAVE
You already granted that and now you revoke it? Check better for duplicates in your commands.Code:
EXECUTE
Not needed, too.Code:
LOCK TABLES
You haven't handled all permissions available. Thumb of rule is: installing phpBB needs more permissions than simply using it. Activating CAPTCHAs or search indices are things being done once, so fiddling with table columns/indices should be rather revoked than allowed.
The downside of this is: whoever managed to get his code run by phpBB (either with an extension, or by finding a security flaw...) can then really make use of all those permissions, like getting content from other databases, creating triggers and procedures which then collect/manipulate data with each operation on their own, adding users... Hardening every side is better than only relying on a SPOF.I believe most users grant the DB user all privileges. I would make sure you are securing that account with a very strong password.
Statistics: Posted by AmigoJack — Mon Sep 23, 2024 8:43 am