Louis-Philippe Véronneau - sqlhttps://veronneau.org/2018-03-17T00:00:00-04:00Minimal SQL privileges2018-03-17T00:00:00-04:002018-03-17T00:00:00-04:00Louis-Philippe Véronneautag:veronneau.org,2018-03-17:/minimal-sql-privileges.html<p>Lately, I have been working pretty hard on a paper I have to hand out at the end
of my university semester for the machine learning class I'm taking. I will
probably do a long blog post about this paper in May if it turns out to be good,
but …</p><p>Lately, I have been working pretty hard on a paper I have to hand out at the end
of my university semester for the machine learning class I'm taking. I will
probably do a long blog post about this paper in May if it turns out to be good,
but for the time being I have some time to kill while my latest boosting model
runs.</p>
<p>So let's talk about something I've started doing lately: creating issues on FOSS
webapp project trackers when their documentation tells people to grant all
privileges to the database user.</p>
<p>You know, something like:</p>
<div class="highlight"><pre><span></span><code><span class="k">GRANT</span><span class="w"> </span><span class="k">ALL</span><span class="w"> </span><span class="k">PRIVILEGES</span><span class="w"> </span><span class="k">ON</span><span class="w"> </span><span class="k">database</span><span class="p">.</span><span class="o">*</span><span class="w"> </span><span class="k">TO</span><span class="w"> </span><span class="s1">'username'</span><span class="nv">@'localhost'</span><span class="w"> </span><span class="k">IDENTIFIED</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="s1">'password'</span><span class="p">;</span>
</code></pre></div>
<p>I'd like to say I've never done this and always took time to specify a
restricted subset of privileges on my servers, but I'd be lying. To be honest, I
woke up last Christmas when someone told me it was an insecure practice.</p>
<p>When you take a few seconds to think about it, there are quite a few database
level <a href="https://mariadb.com/kb/en/library/grant/#database-privileges">SQL privileges</a> and I don't see why I should grant them all to a
webapp if it only needs a few of them.</p>
<p>So I started asking projects to do something about this and update their
documentation with a minimal set of SQL privileges needed to run correctly. The
Drupal project <a href="https://api.drupal.org/api/drupal/INSTALL.mysql.txt/7.x">does this quite well</a> and tells you to:</p>
<div class="highlight"><pre><span></span><code><span class="k">GRANT</span><span class="w"> </span><span class="k">SELECT</span><span class="p">,</span><span class="w"> </span><span class="k">INSERT</span><span class="p">,</span><span class="w"> </span><span class="k">UPDATE</span><span class="p">,</span><span class="w"> </span><span class="k">DELETE</span><span class="p">,</span><span class="w"> </span><span class="k">CREATE</span><span class="p">,</span><span class="w"> </span><span class="k">DROP</span><span class="p">,</span><span class="w"> </span><span class="k">INDEX</span><span class="p">,</span><span class="w"> </span><span class="k">ALTER</span><span class="p">,</span><span class="w"> </span><span class="k">CREATE</span><span class="w"> </span><span class="k">TEMPORARY</span><span class="w"> </span><span class="k">TABLES</span><span class="w"> </span><span class="k">ON</span><span class="w"> </span><span class="n">databasename</span><span class="p">.</span><span class="o">*</span><span class="w"> </span><span class="k">TO</span><span class="w"> </span><span class="s1">'username'</span><span class="nv">@'localhost'</span><span class="w"> </span><span class="k">IDENTIFIED</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="s1">'password'</span><span class="p">;</span>
</code></pre></div>
<p>When I first reached out to the upstream devs of these projects, I was sure I'd
be seen as some zealous nuisance. To my surprise, everyone thought it was a good
idea and fixed it.</p>
<p>Shout out to <a href="https://github.com/nextcloud/documentation/issues/648">Nextcloud</a>, <a href="https://github.com/mattermost/mattermost-server/issues/8432">Mattermost</a> and <a href="https://github.com/kanboard/kanboard/issues/3699">KanBoard</a> for taking this
seriously!</p>
<p>If you are using a webapp and the documentation states you should grant all
privileges to the database user, here is a template you can use to create an
issue and ask them to change it:</p>
<pre>
Hi!
The installation documentation says that you should grant all SQL privileges to
the database user:
GRANT ALL PRIVILEGES ON database.* TO 'username'@'localhost' IDENTIFIED BY 'password';
I was wondering what are the true minimal SQL privileges WEBAPP needs to run
properly.
I don't normally like to grant all privileges for security reasons and would
really appreciate it if you could publish a minimal SQL database privileges
list.
I guess I'm expecting something like [Drupal][drupal] does.
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES ON databasename.* TO 'username'@'localhost' IDENTIFIED BY 'password';
At the database level, [MySQL/MariaDB][mariadb] supports:
* `ALTER`
* `CREATE`
* `CREATE ROUTINE`
* `CREATE TEMPORARY TABLES`
* `CREATE VIEW`
* `DELETE`
* `DELETE HISTORY`
* `DROP`
* `EVENT`
* `INDEX`
* `INSERT`
* `LOCK TABLES`
* `REFERENCES`
* `SELECT`
* `SHOW VIEW`
* `TRIGGER`
* `UPDATE`
Does WEBAPP really need database level privileges like EVENT or CREATE ROUTINE?
If not, why should I grant them?
Thanks for your work on WEBAPP!
[drupal]: https://api.drupal.org/api/drupal/INSTALL.mysql.txt/7.x
[mariadb]: https://mariadb.com/kb/en/library/grant/#database-privileges
</pre>