There's some good documentation (a lot of it in the form of 'warnings') on
security aspects of the "mysql" database.
http://mysql.com/documentation/mysql/bychapter/manual_Privilege_system.html#Privilege_system
But, here's some quick notes:
Anyone who has 'modify' permissions to the "mysql" database can modify
ANYTHING in it (and grant the same ability to anyone else).
I use different usernames for different databases (excluding the "mysql" one)
to ensure that each user only has access to the database the username appears
for (in the "db" table).
User "yubbyuser" has an entry in "db" only for "yubbydb" database.
User "dubbyuser" has an entry in "db" only for "dubbydb" database.
If you want to do the same for the "mysql" database, you might have to have
multiple "instances" of MySQL running. With each 'instance' controlling a
different 'user' (or project) database, allowing you to enable the user in
each 'instance' to have access to the "mysql" database, which keeps them out
of the other 'instances' (and the other "mysql" databases). Make sure that
the passwords for "root" and other users are different in each 'instance'...
I haven't made use of the "host" or "columns_priv" tables yet, but am using
"tables_priv" to give additional "create" and "drop" access to 'temporary'
tables to the 'web user' (which, if they didn't have it, can't create
temporary tables) only for those files (and not the ability to 'drop' every
table in the database).
Good Luck...
"Ashley M. Kirchner" wrote:
> Okay, I'm about to rip my hair out trying to figure this out, and I
> thought before I start looking for a gun, maybe I should ask..
>
> I need someone to explain the 'mysql' database to me. I've tried
> reading about it, tried different settings, but I'm lost. So far I've
> just been adding users and db's to the 'db' and 'user' tables, but
> something tells me that's not all there is to it.
>
> What are the other tables for? And how's about adding a user that
> can only access (and change) their DB (assigned by me), and/or adding a
> (different) user that can create their own DB(s), yet not muck with
> anything else on the entire (mysql) system (and screw up other users).
>
> I'm willing to entertain even more literature if that's easiest to
> point me to, but like I said, I've gone through the online docs, I've
> checked other resources online, and I'm still lost.
>
> AMK4
>
