At Fri, 26 Nov 2010 11:51:18 -0800 (PST) Phil Longstaff <[email protected]> wrote:
> > That's not quite OK. If a new version of gnucash is released which requires > a > changed db schema, gnucash will try to automatically add new columns and > constraints. This might mean we will need to package schema upgrades as a > separate utility to be run by the dba. There is no reason to disallow a *user* from adding/dropping tables or altering tables (adding/removing columns, etc.). Allowing mere *users* the privs to add/drop *databases* is the security issue. The gnucash application should not be creating the database itself, only tables, etc. > > An example of this is that in the future, we will probably add real foreign > key > constraints to the db. > > Phil > --------- > I used to be a hypochondriac AND a kleptomaniac. So I took something for it. > > > > > ________________________________ > From: John Ralls <[email protected]> > To: Peter Boosten <[email protected]> > Cc: [email protected] > Sent: Fri, November 26, 2010 1:50:30 PM > Subject: Re: Save As MySQL is crashing gnucash > > > On Nov 26, 2010, at 10:09 AM, Peter Boosten wrote: > > > On 26-11-2010 16:39, John Ralls wrote: > >> > >> Not quite. Users must be created by a superuser, but can be delegated the > >>create-db privilege, > >> > >> and gnucash will work best if the userid used to access mysql (or > > postgres) has that > >> privilege. > > > > Yes, from the lazy-perspective (user friendly?) you are right, but from > > a security point of view this is so NOT done. You never ever want a user > > (in this case even an application user) to have create (or drop) > > privileges (db or table). > > That's OK. In that kind of an environment, the initial "save as" just needs > to > be performed by the DBA, providing her credentials. After that she can, from > the > appropriate DBA console program (psql or mysql), create the user(s) and > change > the ownership and privs to whatever the local policies are. That's a bit much > for home and most small business users, though. > > Regards, > John Ralls > > _______________________________________________ > gnucash-user mailing list > [email protected] > https://lists.gnucash.org/mailman/listinfo/gnucash-user > ----- > Please remember to CC this list on all your replies. > You can do this by using Reply-To-List or Reply-All. > _______________________________________________ > gnucash-user mailing list > [email protected] > https://lists.gnucash.org/mailman/listinfo/gnucash-user > ----- > Please remember to CC this list on all your replies. > You can do this by using Reply-To-List or Reply-All. > > > -- Robert Heller -- 978-544-6933 / [email protected] Deepwoods Software -- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments _______________________________________________ gnucash-devel mailing list [email protected] https://lists.gnucash.org/mailman/listinfo/gnucash-devel
