3.8 Ensure Plugin Directory Has Appropriate Permissions

Information

The plugin directory is the location of the MariaDB plugins. Plugins are storage engines or user defined functions (UDFs).

Rationale:

Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of the MariaDB database. If someone can modify plugins then these plugins might be loaded when the server starts and the code will get executed.

Impact:

Users other than the MariaDB user will no longer be able to update and add/remove plugins unless they're able to switch to the MariaDB user.

Solution

To remediate these settings, execute the following commands at a terminal prompt using the plugin_dir Value from the audit procedure. MariaDB server must not be allowed to write to this location.

chmod 550 <plugin_dir Value> #(or use 554)
chown mysql:mysql <plugin_dir Value>

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 88e1418603b72bb4d0892217afefd341efe15c8154c39c0ab2ce6db5157a15c0