1.2 Use Dedicated Least Privileged Account for MySQL Daemon/Service

Information

As with any service installed on a host, it can be provided with its own user context. Providing a dedicated user to the service provides the ability to precisely constrain the service within the larger host context.

Rationale:

Utilizing a least privilege account for MySQL to execute as needed may reduce the impact of a MySQL-born vulnerability. A restricted account will be unable to access resources unrelated to MySQL, such as operating system configurations.

Solution

Create a user which is only used for running MySQL and directly related processes. This user must not have administrative rights to the system. Additionally, it's best to avoid providing shell access to such an account.

Shell access can be removed using the following command at a terminal prompt:

/usr/sbin/groupadd -g 27 -o -r mysql >/dev/null 2>&1 || :
/usr/sbin/useradd -M -N -g mysql -o -r -d /var/lib/mysql -s /bin/false
-c 'MySQL Server' -u 27 mysql >/dev/null 2>&1 || :

See Also

https://workbench.cisecurity.org/benchmarks/15112

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv7|14

Plugin: Unix

Control ID: deb52086acca85c38f0871f2d748993933a813690ffc752fd1f2d91b980e398e