Consider excluding the following grants from users on any production MySQL server.
-- GRANT OPTION
"The GRANT OPTION privilege enables you to give to other users or remove from other users those privileges that you yourself possess." (http://dev.mysql.com/doc/refman/5.1/en/privileges-provided.html#pri...
"The RELOAD privilege enables use of the FLUSH statement. It also enables mysqladmin commands that are equivalent to FLUSH operations: flush-hosts, flush-logs, flush-privileges, flush-status, flush-tables, flush-threads, refresh, and reload." (http://dev.mysql.com/doc/refman/5.1/en/privileges-provided.html#pri...
"The SUPER privilege enables an account to use CHANGE MASTER TO, KILL or mysqladmin kill to kill threads belonging to other accounts (you can always kill your own threads), PURGE BINARY LOGS, configuration changes via SET GLOBAL to modify global system variables, the mysqladmin debug command, enabling or disabling logging, performing updates even if the read_only system variable is enabled, starting and stopping replication on slave servers, and allows you to connect (once) even if the connection limit controlled by the max_connections system variable is reached. " (http://dev.mysql.com/doc/refman/5.1/en/privileges-provided.html#pri...
Need I say more?!
"The FILE privilege gives you permission to read and write files on the server host using the LOAD DATA INFILE and SELECT ... INTO OUTFILE statements and the LOAD_FILE() function. A user who has the FILE privilege can read any file on the server host that is either world-readable or readable by the MySQL server. (This implies the user can read any file in any database directory, because the server can access any of those files.) The FILE privilege also enables the user to create new files in any directory where the MySQL server has write access. As a security measure, the server will not overwrite existing files." (http://dev.mysql.com/doc/refman/5.1/en/privileges-provided.html#pri...
-- ALTER (This is more of a performance saver than security)
"The ALTER privilege may be used to subvert the privilege system by renaming tables. " (http://dev.mysql.com/doc/refman/5.1/en/privileges-provided.html#pri...
Alter is used to change schema and can pose a very large problem if someone does not know what they are doing. Only root and administrative accounts should have this permission in production. I guess it makes me feel more secure that the admin account is only one with ALTER!
For more details please check out the manual online here
1. Make sure you have a read-only user and a write user
-- Read-only grants = SELECT, CREATE TEMPORARY TABLES
-- Write user grants = SELECT, INSERT, UPDATE, DELTE, CREATE TEMPORARY TABLES
2. Make sure you have at least one local root account with ALL privileges and GRANT OPTION
3. Optional, but I like to have it
-- You may want elevated privileges from a particular subnet… This is fine just don’t let the host be ‘%’
4. Replication user, backup user, and possibly a user to run scripts