Grant should not be included for db user

[rezalas]

We should remove grant as a general perm to avoid potential permission leaks here. The DB user has no actual need for grant and really any non-CRUD related function, including alter.

riftshadow/user-customizations.sh

Lines 11 to 13 in 8a67246

	mysql -uhomestead -psecret -e "CREATE USER IF NOT EXISTS '$USER'@'localhost' IDENTIFIED BY '$PASS';"
	mysql -uhomestead -psecret -e "GRANT ALTER,CREATE,DELETE,DROP,INDEX,INSERT,SELECT,UPDATE ON rift.* TO '$USER'@'localhost';"
	mysql -uhomestead -psecret -e "GRANT ALTER,CREATE,DELETE,DROP,INDEX,INSERT,SELECT,UPDATE ON rift_core.* TO '$USER'@'localhost';"

[sean-gilliam]

Most definitely.

[Psypher9]

Isn't this just granting the permissions in the comma separated list to the user? Not granting GRANT. Perhaps I'm misunderstanding.

[sean-gilliam]

I just looked at the three line snippet and thought a user supplied USER was being given those perms. So I took a look at the whole file to get context.

It's pretty clear that the script is only giving those perms to the rift user. That's the exact same stuff that the setup scripts/admin stuff uses. This looks like a script to run in case of an oopsie when the rift user gets deleted somehow.

[Psypher9]

Yeah that's what I was thinking too. So are we thinking just leave it?

[rezalas]

I read it wrong initially, but we still need to pull alter and drop off the list just in case someone gets an injection and calls them.

Alternatively, we could migrate it to a dev setup only. The production setup though should have the absolute minimum rights needed to operate for the game.

[Psypher9]

Okay I see what you're saying now!