A question came up last week in what permissions does the account that SharePoint uses to connect to SQL need. Unfortunatey I couldn't find the answer to this after doing some internet searches so I just decided to give it a try and see.
After installing MOSS 2007, setup will bring up the SharePoint Products and Technologies Configuration Wizard. Essentially this wizard creates the Central Administration site so you can setup the rest of your MOSS installation.
Obviously the first security check is to make sure your user account running setup has permissions on the database server to create new databases. The wizard to create the Central Administration site will be running in your user account context to create the database so you have to at least have permissions to create a new database. Your user account should also have permissions to create a new IIS site, but since this post is about the database, I'll leave that topic for a future post.
Second user account you have to consider is the user account you specified in the wizard that SharePoint uses to connect to the database. SharePoint will be using this account not only to read and write to existing databases, it will also use this account to create new databases when you create a new SharePoint web application. Therefore a simple datareader or datawriter role is not enough.
Turns out the wizard will take care of adding the user you specified into SQL Server and then assigning the necessary server role. In my test install, it looks like SharePoint requires the dbcreator and the securityadmin server role for the user account.
Down to the security for the specific database, the user account is granted db_owner permissions.
Another note on picking the user account for SharePoint to use to access the database, if you are doing a multi-server installation of SharePoint, make sure to use a domain account. You could also create a shadow account, but that is not a recommended way of installation.