Details
As with any service installed on a host, it can be provided with its own user context. Providing a dedicated user to the service provides the ability to precisely constrain the service within the larger host context.
Rationale:
Utilizing a least privilege account for MySQL to execute as needed may reduce the impact of a MySQL-born vulnerability. A restricted account will be unable to access resources unrelated to MySQL, such as operating system configurations.
Solution
Create a user which is only used for running MySQL and directly related processes. This user must not have administrative rights to the system. Additionally, its best to avoid providing shell access to such an account.
Shell access can be removed using the following command at a terminal prompt:
/usr/sbin/groupadd -g 27 -o -r mysql >/dev/null 2>&1 || :
/usr/sbin/useradd -M -N -g mysql -o -r -d /var/lib/mysql -s /bin/false
-c ‘MySQL Server’ -u 27 mysql >/dev/null 2>&1 || :
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.