I’ve been working on revising my password policy scripts, and in the process, thought about the privileges required. My first draft added tables to the
mysql system database and leveraged the
root@localhost account. I’m looking to lock that down for the next iteration. It’s easy to move the tables and procedures out of the
mysql system database into a new
password_policy database, but what to do about the use of the root account?
Ideally we would use an account that has the minimum privileges necessary to successfully execute the stored procedures. But these aren’t trivial permissions:
- SELECT from mysql.user table
- CREATE USER to support use of