1.2 Use Dedicated Least Privileged Account for MariaDB Daemon/Service

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


As with any service installed on a host, it can be provided with its own user context. Providing a dedicated user to the service provides the ability to precisely constrain the service within the larger host context.


Utilizing a least privilege account for MariaDB to execute as needed may reduce the impact of a MariaDB-born vulnerability. A restricted account will be unable to access resources unrelated to MariaDB, such as operating system configurations.


Create a user which is only used for running MariaDB and directly related processes. This user must not have administrative rights to the system. Additionally, it's best to avoid providing shell access to such an account.
Shell access can be removed using the following command at a terminal prompt:

/usr/sbin/groupadd -g 27 -o -r mysql >/dev/null 2>&1 || :
/usr/sbin/useradd -M -N -g mysql -o -r -d /var/lib/mysql -s /bin/false
-c 'MariaDB Server' -u 27 mysql >/dev/null 2>&1 || :

See Also