从网上看到一些帖子,面试者被问到如何认识mysql数据库的安全问题。很多安全问题都是由于对账号管理不妥当造成的。 1 删除匿名账号 在mysql版本中,安装完mysql后,默认会有一个匿名账号,只有执行mysql命令就能登录上去。如下: 直接执行mysql 登录上数据库
从网上看到一些帖子,面试者被问到如何认识mysql数据库的安全问题。很多安全问题都是由于对账号管理不妥当造成的。
1 删除匿名账号
在mysql版本中,安装完mysql后,默认会有一个匿名账号,只有执行mysql命令就能登录上去。如下:
直接执行mysql 登录上数据库,进入test数据库下
[xkyx80@localhost ~]$ mysql
welcome to the mysql monitor. commands end with ; or \g.
your mysql connection id is 488
server version: 5.5.20-log source distribution
copyright (c) 2000, 2011, oracle and/or its affiliates. all rights reserved.
oracle is a registered trademark of oracle corporation and/or its
affiliates. other names may be trademarks of their respective
owners.
type 'help;' or '\h' for help. type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| database |
+--------------------+
| information_schema |
| test |
+--------------------+
2 rows in set (0.00 sec)
mysql> ues test;
error 1064 (42000): you have an error in your sql syntax; check the manual that corresponds to your mysql server version for the right syntax to use near 'ues test' at line 1
mysql> use test;
database changed
mysql> show tables;
+-------------------+
| tables_in_test |
+-------------------+
| gonghui2 |
| item |
| site |
| tbl_ad_monitor_ip |
| test |
| test2 |
| test_ |
| test_level |
| tx |
+-------------------+
9 rows in set (0.00 sec)
那么它具有的权限呢 ? 现在查看一下mysql下user用户表
mysql> select user();
+----------------+
| user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)
mysql> select * from mysql.user \g;
host: localhost.localdomain
user:
password:
select_priv: n
insert_priv: n
update_priv: n
delete_priv: n
create_priv: n
drop_priv: n
reload_priv: n
shutdown_priv: n
process_priv: n
file_priv: n
grant_priv: n
references_priv: n
index_priv: n
alter_priv: n
show_db_priv: n
super_priv: n
create_tmp_table_priv: n
lock_tables_priv: n
execute_priv: n
repl_slave_priv: n
repl_client_priv: n
create_view_priv: n
show_view_priv: n
create_routine_priv: n
alter_routine_priv: n
create_user_priv: n
event_priv: n
trigger_priv: n
create_tablespace_priv: n
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin:
authentication_string: null
这样普通用户即可登录mysql ,建大表等操作,建议删掉此账号,或者给此账号加密码。
2 给root账号设置口令
mysql 安装完毕,要给root 账号设定口令
[xkyx80@localhost ~]$ mysql -uroot
welcome to the mysql monitor. commands end with ; or \g.
your mysql connection id is 490
server version: 5.5.20-log source distribution
copyright (c) 2000, 2011, oracle and/or its affiliates. all rights reserved.
oracle is a registered trademark of oracle corporation and/or its
affiliates. other names may be trademarks of their respective
owners.
type 'help;' or '\h' for help. type '\c' to clear the current input statement.
mysql> set password=password('密码');
3 设置安全的密码
1 密码设置的尽量复杂,带有字母、数字、特殊字符等
2 使用上保证安全,不被窃取,在登陆mysql时,使用交互式登陆方式,手动输入密码比较安全。
4 只赋予账号必须的权限,只需要增删改查,那就只赋予 select、update、insert、delete权限 ,权限赋予具体化,对用户赋予 all privilege权限是危险的。
from : 读书笔记 深入浅出mysql