How to fix secure-file-priv error in MySQL and MariaDB

File import/export features in MySQL and MariaDB enable bulk data loads, server-side exports, and repeatable reporting jobs. When a statement fails with ERROR 1290 (HY000) mentioning --secure-file-priv, server-side file access has been restricted to a specific location. Correcting the setting keeps file-based workflows functional while maintaining a predictable security boundary.

The secure_file_priv system variable reflects the --secure-file-priv server option that is applied at mysqld startup. It governs server-side file reads and writes used by LOAD DATA INFILE (non-LOCAL), SELECT … INTO OUTFILE, and LOAD_FILE() by limiting them to a single directory or disabling them entirely. The error typically appears when an INFILE or OUTFILE path points outside the allowed directory.

Changing secure_file_priv requires editing the server configuration and restarting the database service because the value is read-only at runtime. An unrestricted setting increases risk if an attacker can run SQL with the FILE privilege, so a dedicated directory with tight permissions is usually the safest fix. Mandatory access control (AppArmor or SELinux) can still block access to newly-chosen directories even when secure_file_priv permits them, so using the existing directory reported by the server avoids extra policy changes.

1. Open a terminal on the database host.
2. Start a SQL session to the server with an administrative account.

   $ mysql -u root -p
   Enter password:
   Welcome to the MySQL monitor.  Commands end with ; or \g.
   Server version: 8.0.36 MySQL Community Server - GPL
   mysql>

3. Check the current secure_file_priv value.

   mysql> SHOW VARIABLES LIKE 'secure_file_priv';
   +------------------+-----------------------+
   | Variable_name    | Value                 |
   +------------------+-----------------------+
   | secure_file_priv | /var/lib/mysql-files/ |
   +------------------+-----------------------+
   1 row in set (0.00 sec)

   A directory value restricts server-side INFILE or OUTFILE paths to that directory. A blank Value column means the restriction is disabled. A value of NULL disables server-side file operations entirely.

4. Exit the SQL shell.

   mysql> exit
   Bye

5. Create a dedicated directory for server-side file operations when changing the allowed location.

   $ sudo install -d -o mysql -g mysql -m 0750 /var/lib/mysql-files

   Prefer the directory already returned by secure_file_priv to avoid AppArmor or SELinux denials on hardened hosts.

6. Open the mysqld configuration file in a text editor.

   $ sudoedit /etc/mysql/mysql.conf.d/mysqld.cnf

   Common alternatives include /etc/mysql/my.cnf, /etc/my.cnf, or (MariaDB on Debian-based systems) /etc/mysql/mariadb.conf.d/50-server.cnf.

7. Set the secure-file-priv option under the `[mysqld]` section.

   [mysqld]
   secure-file-priv=/var/lib/mysql-files/
   # secure-file-priv=""
   # secure-file-priv=NULL

   Only one secure-file-priv line should be active. An empty value removes the directory restriction. NULL disables server-side file operations. A non-existent directory can prevent mysqld from starting.

8. Restart the database service.

   $ sudo systemctl restart mysql

   On MariaDB the unit name is often mariadb: sudo systemctl restart mariadb.

9. Confirm the service is running after restart.

   $ sudo systemctl status mysql --no-pager
   ● mysql.service - MySQL Community Server
        Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled)
        Active: active (running) since Fri 2025-12-12 09:14:02 UTC; 6s ago
   ##### snipped #####

10. Verify the active secure_file_priv value after the restart.

    $ mysql -u root -p -e "SHOW VARIABLES LIKE 'secure_file_priv';"
    Enter password:
    +------------------+-----------------------+
    | Variable_name    | Value                 |
    +------------------+-----------------------+
    | secure_file_priv | /var/lib/mysql-files/ |
    +------------------+-----------------------+

11. Write a test file into the allowed directory to validate INTO OUTFILE.

    $ mysql -u root -p -e "SELECT 'secure_file_priv ok' INTO OUTFILE '/var/lib/mysql-files/secure_file_priv_test.txt';"
    Enter password:
    Query OK, 1 row affected (0.00 sec)

    The target file must not already exist. The path must be within secure_file_priv. The SQL account must have the FILE privilege. Use the directory returned by SHOW VARIABLES LIKE 'secure_file_priv'.

12. Confirm the test file exists on disk.

    $ sudo ls -l /var/lib/mysql-files/secure_file_priv_test.txt
    -rw-r----- 1 mysql mysql 19 Dec 12 09:14 /var/lib/mysql-files/secure_file_priv_test.txt

13. Remove the test file when validation is complete.

    $ sudo rm -f /var/lib/mysql-files/secure_file_priv_test.txt