The MySQL File Structure Revisited

As previously noted, MySQL stores its databases and tables in a simple structure — each database is a directory, and each table is an .frm file with other associated files depending on the storage engine used for the table.

One consequence of this is that if attackers can create files in a database directory, they can create arbitrary tables and data. Another, more serious point is that you should ensure that operating system users other than the MySQL user cannot see the mysql directory. If a user can list the contents of the user.MYD file, he will have all users' password hashes. In versions prior to 4.1, knowledge of the password hash is all that's needed for authenticating.