I'm in the process of migrating my install to a new server. Looking at the privileges granted by the setup scripts on the original install, I see this:
| GRANT USAGE ON *.* TO 'user'@'%' IDENTIFIED BY PASSWORD 'password hash' |
| GRANT ALL PRIVILEGES ON `invoices`.* TO 'user'@'%' |
Which leads me to a few questions.
Why is global access allowed by default?
I can see in some larger distributed installs where this would be beneficial, but in my opinion on a standard install this is a security hole
Why does this user have access to all databases?
GRANT USAGE ON *.*
I answered this one myself with a quick search, and kept it in case anyone else was curious.
This one appears to actually make it more secure, by protecting your other databases from this user.
Taken from MySQL 5.7 Reference Manual
The USAGE privilege specifier stands for “no privileges.” It is used at the global level with GRANT to modify account attributes such as resource limits or SSL characteristics without affecting existing account privileges.
Does this user really need such liberal privileges?
GRANT ALL PRIVILEGES
I don't actually know what permissions the user needs to accomplish everything, but from everything I know about privileges and security, "The least permissive way to get the job done is the safest."
So a list of what privileges actually get used would be beneficial.
PS. I really like this software and I would love to get involved in contributing. I have looked at ways to do so and intend to start once I get my install running again. So thanks to everyone currently and previously involved.