1 | page 2
11. Never ever run the MySQL daemon as the Linux root user. This is very dangerous, because any user with the FILE privilege is able to create files as root (for example, ~root/.bashrc). To prevent this, mysqld cannot be run as root unless it is explicitly specified with the --user=root option. mysqld can be run as an ordinary unprivileged user instead. If the server becomes compromised, damages are limited to the home directory of that unprivileged user.

You can also create a separate Linux account named mysql to make everything even more secure. Use the account only for administering MySQL. To start mysqld as another Unix user, add a user option that specifies the user name to the [mysqld] group of the /etc/my.cnf option file or the my.cnf option file in the server's data directory.

12. Do not allow the use of symbolic (soft) links to tables. (This can be disabled with the --skip-symbolic-links option.) This is especially important if you run mysqld as root, because anyone that has write access to the server's data directory then could delete any file in the Linux file system.

13. Do not grant the PROCESS or SUPER privilege to non-administrative users. The output of mysqladmin process list shows the text of the currently executing queries, so any user who is allowed to execute that command might be able to see if another user issues an UPDATE user SET password=PASSWORD('not_secure') query.

14. Do not grant the FILE privilege to non-administrative users. Any user that has this privilege can write a file anywhere in the Linux file system with the privileges of the mysqld daemon. To make this a bit safer, files generated with SELECT ... INTO OUTFILE do not overwrite existing files, even if the file permission is set to be writable by everyone.

15. If you suspect domain name spoofing, or simply do not trust your domain name server (DNS), the IP numbers rather than hostnames in the grant tables or in any authentication process should be used instead. In any case, you should avoid creating grant table entries using hostname values that contain wildcards whenever possible.

The following section of this condensed guide discusses the following important topics.

  • Recover MySQL database server password.

  • Use MySQL tools to transfer or backup complete databases or specific tables.

  • Remote access your database via port 3306

  • Remote access your database with phpMyAdmin.

  • 1 | page 2