So the requirement here is, we do not want to run MariaDB as the mysql user and group which is the default. We will see how we can configure MariaDB to run as a custom user and group other than mysql.
Note:
Many steps are required to permanently change the user and/or group under which MariaDB runs, in a way that survives updates of the mariadb-server package. Handle with care and make a backup first.
1. Stop MariaDB if it is running.
# systemctl stop mariadb
2. Add the desired user and/or group with which you want to run the MariaDB.
# groupadd -r customGroup # useradd -r -g customGroup customUser
3. Inspect the mariadb-server package to see what /var/… directories it provides.
# rpm -qlv mariadb-server | grep ^d.*/var drwxr-xr-x 2 mysql mysql 0 Aug 4 2017 /var/lib/mysql drwxr-x--- 2 mysql mysql 0 Aug 4 2017 /var/log/mariadb drwxr-xr-x 2 mysql mysql 0 Aug 4 2017 /var/run/mariadb
4. Create a systemd-tmpfiles config file in /etc/tmpfiles.d/*.conf
to manage auto-creation of the custom /var/run
directory.
# echo "d /var/run/my-mariadb 0755 customUser customGroup -" >/etc/tmpfiles.d/my-mariadb.conf # systemd-tmpfiles --create
5. Decide on new locations for the other directories and create them with proper permissions.
# mkdir /var/lib,log}/my-mariadb # chmod 750 /var/log/my-mariadb
6. Migrate any content from the old /var/lib/mysql and /var/log/mariadb directories.
# mv /var/lib/mysql/* /var/lib/my-mariadb # mv /var/log/mariadb/* /var/log/my-mariadb
7. Set proper user/group ownership recursively on the new /var/lib/… and /var/log/… directories
# chown -R customUser:customGroup /var/{lib,log}/my-mariadb
8. Set proper SELinux contexts on the new directories (using equivalency rules where possible). This step is optional if you have SELinux disabled.
# semanage fcontext -a -e /var/lib/mysql /var/lib/my-mariadb # semanage fcontext -a -e /var/log/mariadb /var/log/my-mariadb # semanage fcontext -a -t mysqld_var_run_t '/var/run/my-mariadb(/.*)?'
9. Do the one-time restorecon on the new directories
# restorecon -RF /var/{lib,log,run}/my-mariadb
10. Modify the /etc/my.cnf
file to point to the new directories. The following shows a default my.cnf as shipped in the mariadb-server rpm.
# cat /etc/my.cnf | grep var datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock log-error=/var/log/mariadb/mariadb.log pid-file=/var/run/mariadb/mariadb.pid
After modifying the /etc/my.cnf
file, it should look like as shown below.
# cat /etc/my.cnf | grep var datadir=/var/lib/my-mariadb socket=/var/lib/my-mariadb/mysql.sock log-error=/var/log/my-mariadb/mariadb.log pid-file=/var/run/my-mariadb/mariadb.pid
11. Create a symlink from the original socket-file location to the new one. Without this, local non-network access (e.g., with the mysql command) would require specifying the new custom socket path (e.g., mysql -S /var/lib/my-mariadb/mysql.sock)
# ln -sv /var/lib/my-mariadb/mysql.sock /var/lib/mysql/mysql.sock ‘/var/lib/mysql/mysql.sock’ -> ‘/var/lib/my-mariadb/mysql.sock’
12. Modify the systemd service file to execute as custom user/group
# mkdir -p /etc/systemd/system/mariadb.service.d # echo -e "[Service]\nUser=customUser\nGroup=customGroup" > $_/usergroup.conf
13. Reload systemd and start up MariaDB.
# systemctl daemon-reload # systemctl start mariadb