For posterity:Here's the sql statement to get usage info:
SELECT mail.mail_name, domains.name,
mn_param.val, mail.mbox_quota FROM mail, mn_param, domains WHERE mail.id=mn_param.mn_id AND
mail.dom_id=domains.id AND mn_param.param='box_usage';
Here's how to create a mysql user that only has SELECT privs on the *specific columns* on the *specific tables* in the psa database that are needed to execute the above sql statement:Step 1: Create user and grant SELECT on mail table columns required
GRANT SELECT (id, dom_id, mail_name, mbox_quota) ON psa.mail TO 'my-lovely-user'@'localhost' NOTE: we need to grant select on id and dom_id as these are used in the WHERE part of the sql statement even though they are not in the SELECT partStep 2: Grant SELECT on particular columns of mn_param table
IDENTIFIED BY 'my-lovely-password';
GRANT SELECT (mn_id, val, param) ON psa.mn_param TO 'my-lovely-user'@'localhost';Note: again we need to grant select on mn_id and param as they are used in WHERE part of sql statementStep 3: Grant SELECT on particular columns of domains table
GRANT SELECT (id, name) ON psa.domains TO 'my-lovely-user'@'localhost';Note: Once again we need to grant SELECT on id as it is used in WHERE part
At this point my-lovely-user will be able to execute the statement to get mail quota info, and pretty much nothing else.
If this restricted user is compromised in some way, an attacker could obtain all mailbox names on the server. This is not a good thing. But no further damage could be done. Errr.. Maybe the mn_param.param needs to be locked down to row 'box_usage' to make it properly secure. Not sure where passwords are stored.