[BlueOnyx:16494] Re: 5208R - Adding mysql Database to a site

Chris Gebhardt - VIRTBIZ Internet cobaltfacts at virtbiz.com
Wed Nov 19 14:52:15 -05 2014 

On 11/19/2014 1:36 PM, Michael Stauber wrote:
> As is you have the option to simply go to "Server Management" / "Network
> Services" / "MySQL-Settings" and tick all checkboxes. If you do, the
> MySQL users will be created with all privileges. Which might give the
> user full reign to screw things up.

Yup.  Good call on that.

> Or do you think it's really necessary that I modify the defaults of that
> module so that all privileges are already ticked by default?
>
> I certainly can do that. But it might not be the best of ideas to let
> everyone start with such a wide range of default capabilities.
>
> After all: Allowing anyone to run stored procedures and/or creating
> temporary tables can be abused pretty heavily to do stuff that you might
> not appreciate for the sake of the health of the server.
>
> I'm open to suggestions on this, as I'm not sure which direction we
> should take this.

I can't speak for anybody else, but I will say that from now on we will 
be changing the My-SQL Settings up front when provisioning a new 
production hosting server.

Yes, it gives the user the ability to completely muck-up their database. 
   Yes, it opens up the possibility that there may be some unintended 
consequences with regard to abuse.

That said, the user screwing up their database is the user's problem. 
We take no responsibility for user incompetence.

And the security issue is, of course, always a compromise.   Every 
hosting provider has to make the best call for their specific business 
case.   In this particular instance, full permissions is something that 
our users appear to be accustomed to, even if they don't know it.   In 
order to cut down on the support tickets and customer frustration, we'll 
be granting them full permission to screw themselves up.  :)

This has become more and more of an issue as we are seeing customers 
using 3rd party developers.  When the 3rd party gets hold of the server 
instructions and accesses the control panel, they are already jarred 
because they don't see "Brand X" control panel.  Then they recommend 
their customer change hosts because of that.  So frustrating!  I had to 
have an extended email thread with this most recent customer to explain 
that our servers are not deficient, as their developer had suggested. 
Just different.  They'll do anything the Brand X servers will do.   But 
that was far more energy than I want to be spending on an account that, 
in the end, is worth about $6 per month.

And there's the bottom line:  we all have to make the choice between 
keeping a secure environment, and securing customers.

-- 
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ

More information about the Blueonyx mailing list