MySQL5/DataPathPermission

Description

The data directory is the location of the MySQL databases. This rule checks if it exists, is owned by MySQL user, and is grouped into MySQL group.

Rationale

The MySQL data directory (a.k.a., "datadir") is the area where the retain database would be stored. Each subdirectory of the data directory is a database directory and corresponds to a database managed by the server.

Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of the MySQ database. If someone other than the MySQL user is allowed to read files from the data directory he or she might be able to read data from the mysql.user table which contains passwords. [1]

Additionally, the ability to create files can lead to denial of service, or might otherwise allow someone to gain access to specific data by manually creating a file with a view definition.

We recommend that datadir should be accessible only to the mysql user. To perform this fix follow these steps:

Execute the following SQL statement to determine the value of datadir:

show variables where variable_name = 'datadir';

With the datadir path, execute the following commands at a terminal prompt:

chmod 700 <datadir>
chown mysql:mysql <datadir>