Jump to content

Support multiple predefined MySQL user ids to increase security

KT Walrus

Recommended Posts

I'd like to see IPB support multiple MySQL user ids with different MySQL permissions and to perform db operations using the appropriate one (that is, the current user has to pass the built-in IPB permission checks before IPB would connect to the DB with a user id that could perform a query that requires a higher level of permission).

As done now, the MySQL user id provided by the person doing the install should be powerful enough to do what is needed to install IPB. But, the installer should also provide new names/passwords for the new user ids. The install process should check whether these user ids already exist and create them if needed (and issue the appropriate GRANTs for accessing the DB).

At a minimum, there should be the powerful admin MySQL user id and a minimally privileged normal operation MySQL user id. This minimal MySQL user id would be the one that IPB usually uses to connect to the database. But, if the current user is an admin or moderator and the user attempts to do some operation that requires higher permissions, IPB would reconnect to the database with a higher permission user id to perform those queries.

In addition, you might need to implement support for a user id that executes to do moderator functions so you don't ever need to connect to the DB using the powerful admin user id for non-superadmin users.

Since most pages that IPB loads are normal unprivileged operations, I don't think it would hurt performance much if IPB performs a second connection (or reconnects using the normal connection) to execute privileged queries.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...