Operating System Security
The job of the operating system is to protect the MySQL installation and its files from illegal external access. In short, this means that only the MySQL processes and authenticated database administrators should ever be able to touch the MySQL installation. However, certain files such as client configuration files do need to be readable by other users to enable them to connect to the server and perform valid operations. You therefore need to pay special attention to how you enable access to MySQL files.
- Place data files in a separate directory.
Whatever directory structure you choose for the rest of your MySQL installation, you must keep the MySQL data files in their own directory. By default, a MySQL Unix installation places these files in /usr/local/mysql/data, /usr/var/mysql, or some other separate directory.
- The MySQL server should run as a special user and group.
Because any user with read access to the MySQL data files or write access to the configuration and executable files has the potential to cause trouble, you should run the MySQL server under a special, dedicated user ID. The default MySQL installation expects a mysql user and group. You can customize this user/group pair to suit your own needs. This user and group should have full access to the MySQL data and should never be used for any purpose other than running MySQL.
- The permissions on the data directory should be properly set.
If the previous two precautions have been addressed, you have a special directory for the MySQL data files and a special user and group under which the MySQL process runs. You therefore need to make sure that only this special user and group can access the data directory. You accomplish this task by setting the proper filesystem permissions on this directory. On a Unix system, the data directory and all its contents should be owned by your mysql user and group with 770 permissions for directories and 660 permissions for files.[5] Windows systems are not quite as simple. If your operating system (Windows 9x/ME) does not support NTFS, there is no way to protect the files. If you are using an NT-based Windows, you must have MySQL installed on an NTFS volume. You can then right-click on the MySQL data directory and set its permissions.
- Protect other files from unauthorized writes.
Your configuration files and executables should be readable, but not writable by anyone. The executables, of course, should also be executable.
[5] 770 permissions means owner read/write/execute, group read/write/execute, and no permissions for the world. You can set this value using the command chmod -R 770 datadir.