|
|
(13 intermediate revisions by 4 users not shown) |
Line 1: |
Line 1: |
| <div class="title">How to reduce Open-Xchange database user privileges for existing installations</div>
| | {{Migration|title=DB-User Privileges|link=https://documentation.open-xchange.com/7.10.2/middleware/administration/db_user_privileges.html}} |
| | |
| '''Summary''': This article tells you how to reduce the database user privileges in existing Open-Xchange installations to those at least required ones. Changing the existing <code>ALL PRIVILEDGES</code> to the provided minimum set will have no implications for running the server.
| |
| | |
| The minimum required set of privileges is: CREATE, LOCK TABLES, REFERENCES, INDEX, DROP, DELETE, ALTER, SELECT, UPDATE, INSERT, CREATE TEMPORARY TABLES, SHOW VIEW, ALTER ROUTINE, CREATE ROUTINE and SHOW DATABASES.
| |
| | |
| __TOC__
| |
| | |
| == Change of existing privileges == | |
| 1. Login to master mysql database using root user.
| |
| | |
| 2. Detect the existing Open-Xchange users: <code><pre>SELECT USER,HOST FROM mysql.user;</pre></code>
| |
| | |
| The output will look like:
| |
| | |
| <code><pre>
| |
| +------------------+-----------+
| |
| | user | host |
| |
| +------------------+-----------+
| |
| | openexchange | % |
| |
| | root | 127.0.0.1 |
| |
| </pre></code>
| |
| | |
| 3. Detect all existing privileges for the Open-Xchange user above: <code><pre>SHOW GRANTS FOR '<openexchange_user_from_table_above>'@'<openexchange_host_from_table_above>';</pre></code>
| |
| | |
| The output will look like:
| |
| | |
| <code><pre>
| |
| +---------------------------------------------------------------------------------------------------+
| |
| | Grants for openexchange@% |
| |
| +---------------------------------------------------------------------------------------------------+
| |
| | GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'%' IDENTIFIED BY PASSWORD
| |
| '*ef14c45205444fdd47b6c1d88b74e1345fd0c394' |
| |
| +---------------------------------------------------------------------------------------------------+
| |
| 1 row in set (0,00 sec)
| |
| </pre></code>
| |
| | |
| 4. Revoke all existing privileges for the Open-Xchange user above. Be careful to use the database@host pattern provided by the output from #3 (in this case *.*): <code><pre>REVOKE ALL PRIVILEGES ON *.* FROM '<openexchange_user_from_table_above>'@'<openexchange_host_from_table_above>';</pre></code>
| |
| | |
| Hint: This must be executed for each database@hostname combination displayed in #3. Without revoking privileges you will have duplicates.
| |
| | |
| 5. Create new privileges: <code><pre>GRANT CREATE, LOCK TABLES, REFERENCES, INDEX, DROP, DELETE, ALTER, SELECT, UPDATE, INSERT, CREATE TEMPORARY TABLES, SHOW VIEW, ALTER ROUTINE, CREATE ROUTINE, SHOW DATABASES ON *.* TO '<YOUR_CONFIG_DB_USER>'@'%' IDENTIFIED BY '<YOUR_CONFIG_DB_PASS>' WITH GRANT OPTION;</pre></code>
| |
| | |
| 6. Write new privileges: <code><pre>FLUSH PRIVILEGES;</pre></code>
| |
| | |
| [[Category: OX7]]
| |
| [[Category: AppSuite]]
| |
| [[Category: Administrator]]
| |
| [[Category: Database]]
| |
| [[Category: Security]]
| |