Information
As with any service installed on a host, it can be provided with its own user context. Providing a dedicated user to the service provides the ability to precisely constrain the service within the larger host context.
Rationale:
Utilizing a least privilege account for MariaDB to execute as needed may reduce the impact of a MariaDB-born vulnerability. A restricted account will be unable to access resources unrelated to MariaDB, such as operating system configurations.
Solution
Create a user which is only used for running MariaDB and directly related processes. This user must not have administrative rights to the system. Additionally, it's best to avoid providing shell access to such an account.
Shell access can be removed using the following command at a terminal prompt:
/usr/sbin/groupadd -g 27 -o -r mysql >/dev/null 2>&1 || :
/usr/sbin/useradd -M -N -g mysql -o -r -d /var/lib/mysql -s /bin/false
-c 'MariaDB Server' -u 27 mysql >/dev/null 2>&1 || :