1.7 Ensure MySQL is Run Under a Sandbox Environment


Use of the chroot() system call at startup, Systemd with settings to achieve isolation, or docker will put MySQL in a Sandbox environment.


Running MySQL in a Sandbox environment may reduce the impact of a MySQL-born vulnerability by making portions of the file system inaccessible to the MySQL instance.


Use of the chroot option somewhat limits LOAD DATA INFILE and SELECT ... INTO OUTFILE.

Perform one of the following steps to remediate this setting:

Configure MySQL to use chroot:

Choose a non-system partition <chroot location> for MySQL

Add chroot=<chroot_location> to the my.cnf option file

Configure MySQL to run under systemd:

If mysql is managed by systemd and running, stop the service:

$ sudo systemctl stop <mysqld>.service

If a mysql user and group do not already exist, create them:

$ sudo groupadd mysql
$ sudo useradd -r -g mysql -s /bin/false mysql

Set the ownership of the base director:

$ sudo chown -R mysql:mysql /usr/local/mysql/

Create or modify the <mysqld>.service file in /lib/systemd/system to include the following entries, if not already present:

Description=MySQL Server



If mysql was not already already managed by systemd execute this command:

$ sudo systemctl daemon-reload

Start the MySQL server:

$ sudo systemctl start <mysqld>.service

If you would like mysql to automatically run at startup execute this command:

$ sudo systemctl enable <mysqld>.service

Follow documentation in the references for standing up MySQL in a Docker container.

