On Mar 26, 2019, at 12:03 AM, Claudio Nanni <claudio.nanni@mariadb.com> wrote:
Hi,
The rationale is that the system administrator can do anything on the server (including manual edits to the DB files) anyway; thus, every user already implicitly trusts that user with their data.
The user that is the manager of the server(root in Linux) is not the owner of the data. So imho we should go exactly the opposite direction, trying to make more complicated, not easier, to just do anything that's not strictly managing the server. Yes he can tamper files but one thing is doing that and another is that any 'root' can read sensitive data, consider also MariaDB supports data at rest encryption with third party external key management system.
MariaDB already ships a “unix_socket” authn plugin by default. All the admin has to do in order to gain access to a user’s data is to enable that plugin for the user, drop privileges, then log in. Arguably, this is just a default-configuration change that I’m suggesting: configure root@localhost to use unix_socket authn by default (on Linux). -FG