Mantis: Secure MySQL Setup

This page was originally posted at http://www.futureware.biz/blog/index.php?title=mysql_setup_for_use_with_mantis&more=1&c=1&tb=1&pb=1external_link.

In some environments, additional database security may be desired when running a Mantis installation. The key to this is to restrict what the database userid can do. Note that database userids are distinct from system login or mantis user names, and are specific to the database system being used.

The following restrictions should be put in place:

  • The userid should be restricted in terms of where it can access the database from. MySQL permissions can lock out access by host name or IP address. The database should only be accessible from the web server.
  • The userid should be restricted in terms of what databases it can access. For the most secure setup, a new userid should be defined that only has access to the Mantis database.
  • The userid should be restricted in terms of what it can do to the database. The operating user only requires SELECT, INSERT, UPDATE, and DELETE privileges.

Thus, you should create a new userid within MySQL to run the Mantis installation. You can create this user using the following command while in the mysql command line tool:

GRANT SELECT, INSERT, UPDATE, DELETE ON bugtracker.* TO mantis_user@hostname IDENTIFIED by password; where mantis_user is the new mantis userid, hostname is the name of the host running the web server, and password is the password. You may need to repeat this command for both a host named 'localhost' and one with the hostname as defined in the host's DNS entry.

To update the database using the internal tools, you may require a userid with additional privileges. At a minimum, you would need to add ALTER, INDEX, CREATE, DELETE, and DROP privileges to another user for database upgrades. Before the 1.0.0 release, you would need to manually edit the config_inc.php file to replace the userid and password to update the database structures. With version 1.0.0, the system installer allows for a second administrative userid to be used specifically for this purpose. You can create this user using the following command while in the mysql command line tool:

GRANT ALL ON bugtracker.* TO mantis_admin@hostname IDENTIFIED by password;

Copyright 2006, Logical Outcome Ltd.