MySQL5/SafeUserCreate

Description

With the default configuration any user connected to a MySQL server can create new users and grant those users any kind of privilege. In most common scenarios a restricted subset of users should have the capability to do this.

When the option safe-user-create is active a regular user can’t create new users unless it has explicitly received INSERT privilege.

The usage of this option makes your MySQL server more secure by improving the accountability of actions performed.

Rationale

For most applications it’s not common to a database client create new users while making queries. Create an specific user with the required privileges by the application and supply this user to the application configuration.

If an application have a legitimate use case to create new users, a better approach is to use an specific user with such capabilities to ensure queries performed in the server are still trackable.

To grant this capability to an user execute the following statement:

GRANT INSERT(user) ON mysql.user TO 'username'@'hostname';

Edit the [mysqld] group in the configuration file to turn ON the safe-user-create option.

Open the /etc/mysql/mysql.conf.d/mysqld.cnf file and include the following content:

/etc/mysql/mysql.conf.d/mysqld.cnf
# Restrict user creation capability
# see mysql-operous-2021-0001
safe-user-create  = 1