<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">2015-11-18 14:18 GMT+01:00 Gilles Caulier <span dir="ltr"><<a href="mailto:caulier.gilles@gmail.com" target="_blank">caulier.gilles@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">2015-11-18 13:34 GMT+01:00 Richard Mortimer <span dir="ltr"><<a href="mailto:richm+digikam@oldelvet.org.uk" target="_blank">richm+digikam@oldelvet.org.uk</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>On 18/11/2015 12:02, Henrique Santos Fernandes wrote:<br>
> MariaDB [(none)]> show grants for 'digikam'@'localhost';<br>
> +----------------------------------------------------------------------------------------------------------------+<br>
><br>
> | Grants for digikam@localhost<br>
> |<br>
><br>
> +----------------------------------------------------------------------------------------------------------------+<br>
><br>
> | GRANT SUPER ON *.* TO 'digikam'@'localhost' IDENTIFIED BY PASSWORD<br>
> '*B86D61DED45FEAAB193591C66C302416B0E64CA6' |<br>
> | GRANT ALL PRIVILEGES ON `digikamcoredb`.* TO 'digikam'@'localhost'<br>
> |<br>
> | GRANT ALL PRIVILEGES ON `digikamthumbsdb`.* TO<br>
> 'digikam'@'localhost' |<br>
> | GRANT ALL PRIVILEGES ON `digikamfacedb`.* TO 'digikam'@'localhost'<br>
> |<br>
> +----------------------------------------------------------------------------------------------------------------+<br>
><br>
> 4 rows in set (0.00 sec)<br>
><br>
> Gilles<br>
><br>
><br>
> I am no expert but it seens that user 'digikam'@'localhost' dont need a<br>
> password to the databases digikamcoredb, digikamthumbsdb and digikamfacedb<br>
> It only need password when using things when need super privileges right?<br>
</span>No. The password is a global connection setting for that user/host<br>
combination and applies to all databases.<br>
<br>
I really am surprised that digikam needs SUPER privileges. Usual setup<br>
would be to set the password using USAGE privilege.<br></blockquote><div><br></div></span><div>Me too...</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
GRANT USAGE ON *.* TO 'digikam'@'localhost' IDENTIFIED BY PASSWORD<br>
'*B86D61DED45FEAAB193591C66C302416B0E64CA6';<br></blockquote><div><br></div></span><div>Interresting to investiguate. But see below...</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
If SUPER really is required I suspect it is because of the stored<br>
procedure that is used to emulate "IF EXISTS" when adding the indexes.<br>
Even then I would suspect that we could come up with a reduced set of<br>
privileges to access the "mysql" meta database.<br></blockquote><div><br></div></span><div>yes it is. My investigations revelate that we need to create table on server through this commands :</div><div><br></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)">CREATE DATABASE digikamcoredb; </span></span><span style="color:rgb(0,0,0);font-family:monospace">GRANT ALL PRIVILEGES ON digikamcoredb.* TO 'digikam'@'localhost' IDENTIFIED BY 'digikam'; </span><span style="color:rgb(0,0,0);font-family:monospace">FLUSH PRIVILEGES; </span></div><div><span style="font-family:monospace">CREATE DATABASE digikamthumbsdb; GRANT ALL PRIVILEGES ON digikamthumbsdb.* TO 'digikam'@'localhost' IDENTIFIED BY 'digikam'; </span><span style="font-family:monospace">FLUSH PRIVILEGES; </span></div><div><span style="font-family:monospace">CREATE DATABASE digikamfacedb; </span><span style="font-family:monospace">GRANT ALL PRIVILEGES ON digikamfacedb.* TO 'digikam'@'localhost' IDENTIFIED BY 'digikam'; </span><span style="font-family:monospace">FLUSH PRIVILEGES; </span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">... and to be able to run index creation procedures, we need :</span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">GRANT SUPER ON *.* TO 'digikam'@'localhost';FLUSH PRIVILEGES;</span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">... because in SQL procedure code we have :</span></div><div><span style="font-family:monospace"><br></span></div>SQL SECURITY INVOKER</div><div class="gmail_quote"><br></div><div class="gmail_quote">If i drop it, "<span style="font-family:monospace">GRANT SUPER ON *.* TO 'digikam'@'localhost';FLUSH PRIVILEGES;" command at init table is not necessary anymore...</span></div><div class="gmail_quote"><font face="monospace"><br></font></div><div class="gmail_quote"><font face="monospace">This is a first step in the right direction, i hope.</font></div><span class=""><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br></blockquote></div></span></div></div></blockquote><div><br></div><div>As it work fine without "SQL SECURITY INVOKER" in index procedure creation, it safe to remove it ?</div><div><br></div><div>After all it's about security stuff. This point is important...</div><div><br></div><div>Gilles Caulier</div><div><br></div><div><br></div></div></div></div>