Postgres/MySQL: Restrict database permissions to just what is required#2237
Conversation
Some frameworks were misbehaving and changing the schema. Also remove upper-case verions of MySQL tables as those are not needed.
|
@nkasvosve (BeyondJ), @jberger (Mojolicious), @zapov (RevenJ) - Heads up! This pull request changes the permissions for the database and, based on Travis-CI results, it appears that frameworks you have worked on are impacted by it. Could you look over your framework implementations and see what is happening? Thanks. |
|
Revenj will read database metadata at startup (pg_class, pg_namespace, pg_attribute, pg_type and pg_description). Without seeing the actual error I would assume you disallowed reading from those system tables. So grant select onto those tables and it should be back to running again. |
|
Ah.. I see. It fails to do an update due to missing insert/delete permissions. It will keep failing until you give back those permissions (or run it through different user) |
|
I'll take a look, should be today sometime. I needed to do a dependency-pin bump anyway so this is a good motivator. |
|
Interestingly mojolicious doesn't seem to care about this change. What IS breaking things is that the server deployment script cannot create files or folders in the mojolicious/ project directory. Since we use carton to deploy dependencies this is breaking dependency installation. @LadyMozzarella do you have any suggestions about why this is happening? Clearly it didn't used to happen. It seems that the default directory permissions are 0775. Is the user that runs the server setup not the 'vagrant' user (and also not root)? |
|
So I'm guessing that the user |
|
@jberger I'm not sure what the issue was, but I think this Travis run may have been a fluke. Merging this PR into master kicked off a new Travis run based off of master. Mojolicious passed there. I set up a new Vagrant environment based on current master and ran Mojolicious and it also passed there. I can't seem to replicate the issue locally. @zapov Oh I see, we will have to look into/consider that particular situation specifically. |
|
That is interesting too, but if I can't run it in vagrant then something is still not kosher. |
|
BTW I think I have a patch that I think we be acceptable. Working now on seeing if I can make Perl versions be specified by frameworks. I'd like to get a more modern perl than the one we configured back several years ago. |
|
@LadyMozzarella dont try to make special rules for Revenj. I have to change the submission anyway since you've changed the rules to disallow current Revenj implementation. Hopefully before the next deadline |
|
@zapov I read your email comments and I have to say, the persecution complex is unbecoming. My Mojolicious app could open 100 connections and parallel query it and yet I understood from the rules that that was against the spirit; so I make individual queries in a for loop. If parallel (or bundled) queries were allowed mine would be faster too. If it means this much to you, propose a new test; I'll second it. |
|
@jberger ;( There was no need to hijack this thread for that discussion. |
|
@zapov Are you submitting a PR for a batched query test? |
|
yeah, I will try to find some time and add a version which does a loop (and fix this permission issue in the process) |
|
@zapov thanks :) |
TechEmpower#2237) * Postgres/MySQL: Restrict database permissions to just what is required Some frameworks were misbehaving and changing the schema. Also remove upper-case verions of MySQL tables as those are not needed. * Fix GRANT syntax error
6 participants
Some frameworks were misbehaving and changing the schema.
Also remove upper-case verions of MySQL tables as those are not needed.