patternsqlMinor
What are the minimal MySQL grants for the debian-sys-maint user?
Viewed 0 times
thewhatareusermaintmysqldebiansysforgrants
Problem
What are the minimal privileges that
This answer on ServerFault suggests granting
debian-sys-maint@localhost needs for the mysql service to work correctly?This answer on ServerFault suggests granting
RELOAD only, but this is incorrect, as it prevents the mysql service from stopping or starting properly.Solution
It depends on what you want to protect you MySQL server from.
To be able to automatically manage the MySQL db server, Debian has added the account
The
As the password for that MySQL account is only readable by the administrator account
So, when the privileges for
Also notice that if an unauthorized user has access to the computer as
So no, this isn't as a large security problem as it might look at first sight. So no, one doesn't need to change this from the access already given by Debian.
To be able to automatically manage the MySQL db server, Debian has added the account
debian-sys-maint@localhost. That account is used to start, stop and do some other maintenance on the database without any user is needed to type in an administrator password. That might look frighting at first, but actually are not, as long as you have the server protected from unauthorized use.The
debian-sys-maint@localhost user are only accessible from the local machine through localhost, so you can't connect to MySQL as that user unless you already are logged in on the server machine. As the password for that MySQL account is only readable by the administrator account
root, the attacker need to be root to be able to read and use it to access this Debian acccount.$ ls -l /etc/mysql/debian.cnf
-rw------- 1 root root 666 sep 14 2010 /etc/mysql/debian.cnfSo, when the privileges for
debian-sys-maint@localhost is of any real concern, you have a much worse problems with an unauthorized user with root access on your server. The access to the MySQL db is your least concern then.Also notice that if an unauthorized user has access to the computer as
root, there are nothing you can do to stop them from restarting MySQL with all authorization code in MySQL deactivated. With that, they have access to everything, like adding a new Administration account and then restart the MySQL server with authorization activated again. And you wouldn't noticed a thing, at first...So no, this isn't as a large security problem as it might look at first sight. So no, one doesn't need to change this from the access already given by Debian.
Code Snippets
$ ls -l /etc/mysql/debian.cnf
-rw------- 1 root root 666 sep 14 2010 /etc/mysql/debian.cnfContext
StackExchange Database Administrators Q#128641, answer score: 4
Revisions (0)
No revisions yet.