User permissions for FILE apply to operations such as LOAD DATA / INFILE / INTO OUTFILE:
"The FILE privilege gives you the right to read and write files to the server using the LOAD DATA INFILE and SELECT ... INTO OUTFILE commands and the LOAD_FILE () function. A user who has the FILE privilege can read any file on the server host that either readable or readable on a MySQL server.
Using REVOKE to manage file privileges from mysql CLI:
#change to mysql system db use mysql;
Alternatively, if you run into problems, you can selectively perform FILE operations on and within specific databases, in specific tables.
In addition, if you do not completely disable it, you can additionally configure the control to use dir like / tmp, limiting the crawl of data files of the sysvar_secure_file_priv system variable.
For more information, see the manual: FILE Privilege Syntax REVOKE System Variable: secure_file_priv
This question is a great example of how best to think about security from the “Deny Everything, specifically allow as necessary” thinking . Unlike the first granting of ALL user rights, and then their selective recall, which I see very often due to the lack of familiarity with the GRANT / REVOKE system in mysql.
cerd
source share