Understanding MariaDB Permissions: Can a User Really Install Plugins?


Here's a breakdown:

  1. SELECT user, host FROM mysql.db WHERE db = 'mysql': This part of the code queries the mysql.db database, specifically a table named db. It selects two columns: user and host.

  2. (insert_priv='y') or (delete_priv='y') or (insert_priv='y' and delete_priv='y'): This condition filters the results based on user privileges. It checks for three scenarios:

    • (insert_priv='y'): This checks if the user has the INSERT privilege on the mysql database.
    • (insert_priv='y' and delete_priv='y'): This checks if the user has both INSERT and DELETE privileges on the mysql database.

In essence, this code retrieves a list of users and their hostnames (machines they can connect from) who have either INSERT or DELETE privileges on the mysql database. These privileges wouldn't necessarily grant the ability to install plugins, though they do indicate a level of permission on the database.

To revoke permissions for installing plugins in MariaDB, you'd typically use a different approach. This might involve modifying the grant statement for a specific user, removing the SUPER privilege (which grants permission for most administrative tasks), or using MariaDB's plugin management tools to restrict specific plugin installations.

Revoking INSERT and DELETE privileges on the mysql database:

REVOKE INSERT, DELETE ON mysql.* FROM username@hostname;

This code revokes both INSERT and DELETE privileges on the entire mysql database from a specific user (username) connecting from a specific host (hostname). Remember to replace username and hostname with the actual values for the user you want to restrict.

Granting a user with limited privileges:

GRANT SELECT, SHOW ON *.* TO restricted_user@localhost;

This code creates a user named restricted_user who can only connect from localhost (the same machine where MariaDB is running) and has limited privileges. It grants them only the ability to SELECT data and view the database structure using SHOW statements. This effectively restricts them from installing plugins as they lack the necessary permissions.

Important Note:

  • Be cautious when revoking privileges, especially on administrative accounts. Ensure you understand the impact on user functionality before making changes.

  1. Using MariaDB plugin management tools:

    MariaDB offers a built-in plugin management framework. You can utilize tools like plugin install, plugin disable, or plugin uninstall to manage specific plugins. By granting users limited access to these tools, you can restrict their ability to install new plugins.

  2. Modifying the server configuration file:

    The MariaDB configuration file (usually named my.cnf or mariadb.cnf) allows you to define various settings, including security restrictions. You can add a line like plugin_install=0 to completely disable plugin installations for the server. However, this is a very restrictive approach and might not be ideal for all situations.

  3. File system permissions:

    MariaDB plugins are typically stored in specific directories. By modifying the file system permissions on these directories, you can restrict users from writing or modifying files. This would prevent them from installing new plugins even if they have some database privileges.

  4. Using a security context (OS-level):

    Some Linux distributions allow setting up MariaDB as a service with a specific user account. You can restrict the privileges of this user account at the operating system level, preventing them from modifying files or directories required for plugin installation.

Remember, the best approach depends on your specific needs and security requirements. It's advisable to consult the MariaDB documentation and choose a method that balances security with user functionality.


Troubleshooting #1064 - You have an error in your SQL syntax in MariaDB-10.1

Understanding the Error:Error Code: 1064Error Message: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server...

MariaDB: Verifying Deleted Users and Avoiding "Old User" Issues

There are a couple of reasons why this might happen:Deletion Didn't Take Effect: It's possible the command to remove the user wasn't successful...

AWS RDS: Access Denied Error When Granting All Privileges with @'%' - Solution Included

The Problem:In AWS RDS for MySQL or MariaDB, attempting to grant all privileges to a user using GRANT ALL PRIVILEGES ON the_db...

When to Avoid INSERT INTO SELECT: Alternative Methods for Efficient Data Insertion with Discounts in MariaDB

The Issue:In SQL, combining an INSERT and SELECT statement into a single INSERT INTO SELECT can sometimes be inefficient...