HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlMinor

What are the minimal MySQL grants for the debian-sys-maint user?

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
thewhatareusermaintmysqldebiansysforgrants

Problem

What are the minimal privileges that debian-sys-maint@localhost needs for the mysql service to work correctly?

This answer on ServerFault suggests granting RELOAD only, but this is incorrect, as it prevents the mysql service from stopping or starting properly.

Solution

It depends on what you want to protect you MySQL server from.

To be able to automatically manage the MySQL db server, Debian has added the account debian-sys-maint@localhost. That account is used to start, stop and do some other maintenance on the database without any user is needed to type in an administrator password. That might look frighting at first, but actually are not, as long as you have the server protected from unauthorized use.

The debian-sys-maint@localhost user are only accessible from the local machine through localhost, so you can't connect to MySQL as that user unless you already are logged in on the server machine.
As the password for that MySQL account is only readable by the administrator account root, the attacker need to be root to be able to read and use it to access this Debian acccount.

$ ls -l /etc/mysql/debian.cnf
-rw------- 1 root root 666 sep 14  2010 /etc/mysql/debian.cnf


So, when the privileges for debian-sys-maint@localhost is of any real concern, you have a much worse problems with an unauthorized user with root access on your server. The access to the MySQL db is your least concern then.

Also notice that if an unauthorized user has access to the computer as root, there are nothing you can do to stop them from restarting MySQL with all authorization code in MySQL deactivated. With that, they have access to everything, like adding a new Administration account and then restart the MySQL server with authorization activated again. And you wouldn't noticed a thing, at first...

So no, this isn't as a large security problem as it might look at first sight. So no, one doesn't need to change this from the access already given by Debian.

Code Snippets

$ ls -l /etc/mysql/debian.cnf
-rw------- 1 root root 666 sep 14  2010 /etc/mysql/debian.cnf

Context

StackExchange Database Administrators Q#128641, answer score: 4

Revisions (0)

No revisions yet.