加強MySQL用戶安全
- 黄舟原創
- 2017-02-13 10:59:251322瀏覽
很多親們在安裝好了MySQL資料庫之後,對於mysql用戶表並沒有做任何特殊的處理,因此缺省情況下,存在密碼為空的用戶,也有很多用戶名和密碼都為空的情形,我們稱為雙空用戶。這種情形下的登錄,在此統稱為異常登陸。對於生產環境的資料庫來說,這會帶來一些不確定的安全隱患。以下是關於這個問題的描述以及清理掉無關用戶的方法。
相關mysql用戶相關參考:
MySQL 用戶與權限管理
MySQL 修改用戶密碼及重設root密碼
1、演示異常登入a、演示双空用户登陆
[root@xlkoracel ~]# mysql -uroot -p
Enter password:
(root@localhost) [(none)]> show variables like 'version';
+---------------+--------+
| Variable_name | Value |
+---------------+--------+
| version | 5.6.26 |
+---------------+--------+
(root@localhost) [(none)]> select user,host,password from mysql.user;
+-------+-------------+-------------------------------------------+
| user | host | password |
+-------+-------------+-------------------------------------------+
| root | localhost | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |
| root | xlkoracel | |
| root | 127.0.0.1 | |
| root | ::1 | |
| | localhost | |
| | xlkoracel | |
| mycat | localhost | *975B2CD4FF9AE554FE8AD33168FBFC326D2021DD |
| mycat | 192.168.1.% | *975B2CD4FF9AE554FE8AD33168FBFC326D2021DD |
| mycat | 192.168.%.% | *975B2CD4FF9AE554FE8AD33168FBFC326D2021DD |
| root | 192.168.%.% | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |
+-------+-------------+-------------------------------------------+
(root@localhost) [(none)]> -- 可以看到存在用户名和密码同时为空的情形
(root@localhost) [(none)]> -- 退出后尝试使用任意用户名登录
(root@localhost) [(none)]> exit
Bye
[root@xlkoracel ~]# mysql -uxx ###无需指定密码参数-p
(xx@localhost) [(none)]> -- 可以成功登陆
(xx@localhost) [(none)]> -- 下面查看一下自身的权限
(xx@localhost) [(none)]> show grants; --当前只有usage权限
+--------------------------------------+
| Grants for @localhost |
+--------------------------------------+
| GRANT USAGE ON *.* TO ''@'localhost' |
+--------------------------------------+
(xx@localhost) [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| test |
+--------------------+
(xx@localhost) [(none)]> use test;
Database changed
(xx@localhost) [test]> show tables;
Empty set (0.00 sec)
(xx@localhost) [test]> create table t(id int);
Query OK, 0 rows affected (0.14 sec)
(xx@localhost) [test]> insert into t values(1);
Query OK, 1 row affected (0.01 sec)
(xx@localhost) [test]> select * from t;
+------+
| id |
+------+
| 1 |
+------+
1 row in set (0.00 sec)
(xx@localhost) [test]> --从上可以看出,usage权限已经可以完成很多任务
(xx@localhost) [test]> use infromation_schema;
ERROR 1044 (42000): Access denied for user ''@'localhost' to database 'infromation_schema'
(xx@localhost) [test]> exit;
b、演示密码为空的用户登陆
[root@xlkoracel ~]# mysql -uroot -hxlkoracel ###注,此时也无需指定参数-p
(root@xlkoracel) [(none)]> --可以成功登陆
(root@xlkoracel) [(none)]> show grants; --查看自身权限,为ALL PRIVILEGES,权限更大
+---------------------------------------------------------------------+
| Grants for root@xlkoracel |
+---------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'xlkoracel' WITH GRANT OPTION |
| GRANT PROXY ON ''@'' TO 'root'@'xlkoracel' WITH GRANT OPTION |
+---------------------------------------------------------------------+
a、對於部署到生產環境的mysql伺服器建議清理所有密碼為空的用戶以及雙空用戶b、建議清理前先備份,使用drop user方式來清理用戶更穩
以上就是加強MySQL用戶安全 的內容,更多相關內容請關注PHP中文網(www.php.cn)!