Changes between Version 72 and Version 73 of ServerIntro


Ignore:
Timestamp:
Feb 21, 2013, 2:08:53 AM (9 years ago)
Author:
Christian Beer
Comment:

change mysql permission scheme

Legend:

Unmodified
Added
Removed
Modified
  • ServerIntro

    v72 v73  
    143143=== MySQL notes === #MySQL-notes
    144144 * After installing and running the server,
    145    grant permissions for your own account and for the account under
    146    which Apache runs ('nobody' in the following;
    147    may be different on your machine).
     145   grant permissions for the 'db_user' account (usually boincadm).
     146   The 'db_name' is usually the short name of the project.
     147   The credentials (db_user, db_name, db_passwd) are stored in the project's [ProjectOptions#db config.xml].
    148148   All MySQL accounts should be password protected, especially `root`.
    149149{{{
    150150mysql -u root
    151 grant all on *.* to yourname@localhost identified by 'password';
    152 grant all on *.* to yourname identified by 'password';
    153 grant all on *.* to nobody@localhost identified by 'password';
    154 grant all on *.* to nobody identified by 'password';
    155 }}}
    156 
    157 {{{
    158 #!comment
    159 This is a more secure approach but will not work for new projects because make_project tries to create and drop the database on its own. Existing projects should change the permissions accordingly.
    160 
     151CREATE USER 'db_user'@'localhost' IDENTIFIED BY 'db_passwd';
     152GRANT CREATE,DROP ON *.* TO 'db_user'@'localhost'
     153GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,REFERENCES,INDEX,ALTER,CREATE TEMPORARY TABLES, LOCK TABLES ON  `db_name`.* TO 'db_user'@'localhost';
     154}}}
     155Existing projects should change the permissions accordingly by first revoking
     156all rights and grant with the above example. The user 'nobody' means the
     157account under which Apache runs (may be different on your machine) which does
     158not need access anymore.
     159{{{
    161160mysql -u root
    162 CREATE DATABASE `db_name`;
    163 CREATE USER 'db_user'@'localhost' IDENTIFIED BY  'db_password';
    164 GRANT USAGE ON *.* TO 'db_user'@'localhost'
    165 GRANT ALL PRIVILEGES ON  `db_name`.* TO 'db_user'@'localhost';
    166 
    167 mysql -u root
    168 REVOKE ALL PRIVILEGES ON  *.* FROM  'db_name'@'localhost';
     161REVOKE ALL PRIVILEGES ON  *.* FROM  'db_user'@'localhost';
     162REVOKE ALL PRIVILEGES ON  *.* FROM  'db_user';
    169163REVOKE ALL PRIVILEGES ON  *.* FROM  'nobody'@'localhost';
     164REVOKE ALL PRIVILEGES ON  *.* FROM  'nobody';
     165}}}
     166After creating a project you should also revoke the global DROP and CREATE
     167permission for your 'db_user' like this:
     168{{{
     169REVOKE ALL PRIVILEGES ON *.* FROM 'db_user'@'localhost';
     170REVOKE GRANT OPTION ON * . * FROM 'db_user'@'localhost';
     171GRANT USAGE ON *.* TO 'db_user'@'localhost';
    170172}}}
    171173 * Set your `PATH` environment variable to include MySQL programs