Minimum MySQL User Permissions Required For Ghost Installation

This is a quick post to document what we found to be the minimum permissions needed for your MySQL user. If you are using MySQL instead of the default SQLite3 then you should make sure the user Ghost is using to connect to the database with has only the required permissions.

Here is a quick summary of the common priviledges (here is the full list):

ALL PRIVILEGES - full access for user
ALTER - allow user to change the structure of a table
CREATE - allow user to create new tables or databases
DROP - allow user to delete tables or databases
DELETE - allow user to delete rows from tables
INSERT - allow user to insert rows into tables
SELECT - allow user to use the Select command to read through databases
UPDATE - allow user to update table rows
GRANT OPTION - allow user to grant or remove other users' privileges

You could grant ALL PRIVILEGES, but your Ghost MySQL user likely does not need access to DROP or GRANT OPTION. So instead we will grant the specific privileges that are needed. A grant command looks like this:

GRANT [permission] ON [database].[table name] TO ‘[username]’@'localhost’;

So for example to grant the user foo access to SELECT it would look like this:

GRANT SELECT ON ghost.* TO 'ghost'@'localhost';

The minimum set of permissions that are required for your Ghost blog to function are the following:

grant create,delete,insert,select,update,alter ON ghost.* TO 'ghost'@'localhost';

To see what your MySQL permissions are first connect to your database and list the users:

select user,host from username;

Now for the user that Ghost is using query for their grants:

show grants for 'username'@'localhost';

If what you see scares you, you can revoke the current permissions and use the minimum set listed above:

revoke all privileges, grant option from 'username'@'localhost';

And last you will need to flush the privileges:

flush privileges;