1.2 Use Dedicated Least Privileged Account for MySQL Daemon/Service


As with any service installed on a host, it can be provided with its own user context. Providing a dedicated user to the service provides the ability to precisely constrain the service within the larger host context.


Utilizing a least privilege account for MySQL to execute as may reduce the impact of a MySQL-born vulnerability. A restricted account will be unable to access resources unrelated to MySQL, such as operating system configurations.


Create a user which is only used for running MySQL and directly related processes. This user must not have administrative rights to the system. Additionally, it's best to avoid providing shell access to such an account.
Shell access can be removed using the following command at a terminal prompt:

/usr/sbin/groupadd -g 27 -o -r mysql >/dev/null 2>&1 || :
/usr/sbin/useradd -M -N -g mysql -o -r -d /var/lib/mysql -s /bin/false \
-c 'MySQL Server' -u 27 mysql >/dev/null 2>&1 || :

See Also


Item Details


References: 800-53|AC-6

Plugin: Windows

Control ID: de3dd332f278e4fd5da8c04ae54e69487b07469900e3c99856ce4ec87cd21d8a