BestHub
Sign in
Databases 6 min read

Boost MySQL Security: Set Proper datadir Permissions, Secure Socket Placement, and Use login‑path

This guide explains three practical steps to harden MySQL installations: configuring strict datadir permission modes, relocating the MySQL socket file into the datadir with safe permissions, and leveraging the login‑path feature via mysql_config_editor to store credentials securely while simplifying client access.

ITPUB
ITPUB
ITPUB
Boost MySQL Security: Set Proper datadir Permissions, Secure Socket Placement, and Use login‑path

1. Set correct datadir permission mode

The datadir should be accessible only to the MySQL process owner and its group, with the owner having write rights. Using mode 0750 or the more restrictive 0700 prevents other users from reading or modifying database files.

# chown -R mysql.mysql /data/mysql57
# chmod 0700 /data/mysql57
ls -la /data/

2. Put MySQL socket file inside the datadir

Many installations place mysql.sock in /tmp, where the default permission 0777 allows any local user to connect to MySQL, creating a serious security risk especially when root has no password. Move the socket into each instance’s datadir and set its mode to 0700 so only the owner can access it.

# chmod 0700 /data/mysql57/mysql.sock
ls -la /data/mysql57/mysql.sock

After moving the socket, the file shows permissions like srwx------, meaning only the MySQL user can use the socket.

3. Use login‑path to store credentials securely

The login-path feature (added in MySQL 5.6) lets you keep usernames, passwords, and socket locations encrypted in .mylogin.cnf, avoiding plaintext passwords in command lines or scripts.

# mysql_config_editor set -G lp-mysql57-3306 \
    -S /data/mysql57/mysql.sock -uroot -p
ls -la ~/.mylogin.cnf
mysql_config_editor print --all

The generated .mylogin.cnf file is a binary encrypted file; its contents cannot be read in plain text, protecting the stored password.

Once configured, you can connect without specifying a password:

# mysql --login-path=lp-mysql57-3306 -e "select 1+1 from dual"
# mysqladmin --login-path=lp-mysql57-3306 pr

If a non‑owner user attempts to use the same login‑path but lacks permission to the socket file, the connection fails, demonstrating the added protection:

# /usr/local/mysql57/bin/mysql --login-path=lp-mysql57-3306
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/data/mysql57/mysql.sock' (13)

Combining strict datadir permissions, socket relocation, and encrypted login‑path credentials significantly reduces the attack surface of a MySQL server.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

mysqlSecuritySocketDatabase Administrationlogin-path
ITPUB
Written by

ITPUB

Official ITPUB account sharing technical insights, community news, and exciting events.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment