I am currently using MySQL for my Rails application. In my database.yml, I have the following:
production:
adapter: mysql2
database: application_name_production
username: root
password: password
host: localhost
I'm wondering, is it ok to connect to the database as user root? Will it be any less secure than using another user other than root?
This is stored in plaintext, so yes, it's a very bad thing to do. If someone ever gets access to your webserver, het can read the password. And hey, it's probably the same password for the user root to access the whole system :)
Create a database user that can only work with the application specific database. Then only that data can be stolen/edited/destroyed if someone steals your database.yml. Do not use a password that has been used elsewhere.
As you can expect, a hacker will immediatly search for database.yml files using an automated script when he breaks into your system. So within one second of entering your system, he can access all your data.
Having separate user with set of required permissions only for a database (and any system) provides additional step against hackers
So why not spend 5 minutes to create a separate user to save hours on recovering from possible hacker attacks?
Giving out root password (for the system, databases, ...) is something that is very bad. It is like giving every tom, dick and harry a set of your front door keys.
So just spend a little time creating users with the appropriate permissions. This will achieve the added advantage of protecting the integrity of your system, the database, the tables and the operations that can be performed.
In my opinion I just use stored procedures for the web sites access and only grant execution from stored procedures. This ensures that nothing nasty can creep in and maintain performance as the cards are kept close to the databases chest. After all the database for a web site is one on the biggest asserts.
