sean-gilliam
commented
1 year ago Most definitely.
Open rezalas opened 1 year ago
sean-gilliam
commented
1 year ago Most definitely.
Psypher9
commented
1 year ago Isn't this just granting the permissions in the comma separated list to the user? Not granting GRANT. Perhaps I'm misunderstanding.
sean-gilliam
commented
1 year ago I just looked at the three line snippet and thought a user supplied USER was being given those perms. So I took a look at the whole file to get context.
It's pretty clear that the script is only giving those perms to the rift user. That's the exact same stuff that the setup scripts/admin stuff uses. This looks like a script to run in case of an oopsie when the rift user gets deleted somehow.
Psypher9
commented
1 year ago Yeah that's what I was thinking too. So are we thinking just leave it?
rezalas
commented
1 year ago I read it wrong initially, but we still need to pull alter and drop off the list just in case someone gets an injection and calls them.
Alternatively, we could migrate it to a dev setup only. The production setup though should have the absolute minimum rights needed to operate for the game.
Psypher9
commented
1 year ago Okay I see what you're saying now!
We should remove grant as a general perm to avoid potential permission leaks here. The DB user has no actual need for grant and really any non-CRUD related function, including alter.
https://github.com/rezalas/riftshadow/blob/8a67246a619db9c5ff809f7325c8dc836e042dc6/user-customizations.sh#L11-L13