欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  IT编程

MySQL 5.6不删空用户的影响

程序员文章站 2022-03-04 23:31:40
[toc] 问题 MySQL5.6 新建本地可以登录的用户,但在本地始终登录不上,不存在的用户却能登录成功 分析 1、本是以ip地址进行登录的,错误信息报的是Access denied for user 'admin'@'slave58',自动进行了DNS解析,解析成了主机名,skip name r ......

目录

问题

mysql5.6 新建本地可以登录的用户,但在本地始终登录不上,不存在的用户却能登录成功

mysql -uroot -p1234 -s /data/mysql/33562/mysql.sock  -e "select version()"
mysql: [warning] using a password on the command line interface can be insecure.
+-----------+
| version() |
+-----------+
| 5.6.39    |
+-----------+
创建了admin@'%' 用户,但在本地无法登陆,但可以远程登陆

sselect user,host,password from mysql.user;
+--------+-----------+-------------------------------------------+
| user   | host      | password                                  |
+--------+-----------+-------------------------------------------+
| root   | localhost | *a4b6157319038724e3560894f7f932c8886ebfcf |
| root   | slave58   |                                           |
| root   | 127.0.0.1 |                                           |
| root   | ::1       |                                           |
|        | localhost |                                           |
|        | slave58   |                                           |
| admin  | %         | *4acfe3202a5ff5cf467898fc58aab1d615029441 |
| zabbix | 127.0.0.1 | *deef4d7d88cd046eca02a80393b7780a63e7e789 |
| super  | 127.0.0.1 | *f85a86e6f55a370c1a115f696a9ad71a7869db81 |
| super  | slave58   | *f85a86e6f55a370c1a115f696a9ad71a7869db81 |
+--------+-----------+-------------------------------------------+


show grants for 'admin'@'%';

+---------------------------------------------------------------------------------------------------------------+
| grant all privileges on *.* to 'admin'@'%' identified by password '*4acfe3202a5ff5cf467898fc58aab1d615029441' |
+---------------------------------------------------------------------------------------------------------------+

select password('admin');
+-------------------------------------------+
| password('admin')                         |
+-------------------------------------------+
| *4acfe3202a5ff5cf467898fc58aab1d615029441 |
+-------------------------------------------+

以ip地址无法登陆
mysql -uadmin -padmin   -p33562 -h10.186.30.58


mysql: [warning] using a password on the command line interface can be insecure.
error 1045 (28000): access denied for user 'admin'@'slave58' (using password: yes)

以socket也无法登陆
mysql -uadmin -padmin   -p33562 -s /data/mysql/33562/mysql.sock
或者
mysql -uadmin -padmin   -p33562 -h127.0.0.1

mysql: [warning] using a password on the command line interface can be insecure.
error 1045 (28000): access denied for user 'admin'@'localhost' (using password: yes)

不存在的用户却可以登录成功
mysql -utest  -s /data/mysql/33562/mysql.sock
welcome to the mysql monitor.  commands end with ; or \g.
your mysql connection id is 15
server version: 5.6.39 mysql community server (gpl)

copyright (c) 2000, 2017, oracle and/or its affiliates. all rights reserved.

分析

1、本是以ip地址进行登录的,错误信息报的是access denied for user 'admin'@'slave58',自动进行了dns解析,解析成了主机名,skip-name-resolve 可以禁用dns解析

2、mysql在验证权限的时候,先验证host,在验证user,最后验证password,即
host->user->password

3、以host或者socket登陆,进行了dns解析,host;socket被解析成了slave58;localhost,
而mysql.user 中host 为localhost和slave58 对应空用户,就报了访问拒绝错误

测试

启动mysqld时没有加上--skip-name-resolve

以mysql不存在的用户进行登录

mysql -utest -p33562 -h`hostname`
或者
mysql -utest -s /data/mysql/33562/mysql.sock

welcome to the mysql monitor.  commands end with ; or \g.
your mysql connection id is 1
server version: 5.6.39 mysql community server (gpl)
.....
show grants;
+------------------------------------+
| grants for @slave58                |
+------------------------------------+
| grant usage on *.* to ''@'slave58' |
+------------------------------------+
show databases;
+--------------------+
| database           |
+--------------------+
| information_schema |
| test               |
+--------------------+
create table test.test_t1(id int);
query ok, 0 rows affected (0.05 sec)
drop table test.test_t1;
query ok, 0 rows affected (0.05 sec)
drop database test;
query ok, 8 rows affected (0.49 sec)


具有usage  的权限的用户 有test 库的所有权限和information_schema 中表的select权限

以mysql.user中存在的用户登录如 “问题” 中所示,无法登录

在mysql.user 中存在的用户还不能登录,任意一个不存在的用户还可以登录成功 ,还可以drop database test,这有很大的安全隐患!开始怀疑,这mysql5.6是不是假的o_o

启动mysqld时加上--skip-name-resolve

ps -ef | grep -w 33562 | grep -v grep  | awk '{print $2}' | xargs -l kill
su - mysql -c "/usr/local/mysql/5.6.39/bin/mysqld --no-defaults --basedir=/usr/local/mysql/5.6.39 --datadir=/data/mysql/33562 --pid-file=/data/mysql/33562/clone.pid --port=33562 --server-id=33562 --socket=/data/mysql/33562/mysql.sock --tmpdir=/data/mysql/33562 --skip-name-resolve &"

以mysql.user中不存在的用户进行登录

mysql -utest   -p33562 -h`hostname`
error 1045 (28000): access denied for user 'test'@'10.186.30.58' (using password: no)

mysql -utest -s /data/mysql/33562/mysql.sock
welcome to the mysql monitor.  commands end with ; or \g.
your mysql connection id is 9
server version: 5.6.39 mysql community server (gpl)

以`hostname`登录,host 转化成ip地址,在mysql.user中没有匹配到;
以socket登录 host 被转化成localhost,在mysql.user中匹配到了''@'localost'空用户,登录成功。可见,任意用户都能匹配mysql.user的user为空' '的用户

以mysql.user中存在的用户可以登录成功

mysql -uadmin -padmin   -p33562 -h10.186.30.58
mysql: [warning] using a password on the command line interface can be insecure.
welcome to the mysql monitor.  commands end with ; or \g.
your mysql connection id is 1
server version: 5.6.39 mysql community server (gpl)

结论

1、在没有以 skip-name-resolve 启动启动的情况下,以mysql -uuser -ppassword登录会进行dns解析,在mysql.user中匹配到错误的 host,即时没有限制主机的用户 ‘user’@'%'也无法登录

2、即时一个并不存在的用户在以`hostname` 或者socket进行登录,若匹配了mysql.user中的host,该host对应的user和password为空,并不存在的用户也能登录成功

3、为了避免进行dns解析,在my.cnf配置文件中添加skip-name-resolve

4、在刚初始化mysql5.6后,就应该删除空用户,空密码账户(包括root空秘密账户),减少安全隐患,delete from mysql.user where password=' ';flush privileges;

参考

上一篇: Linux基础学习-使用iSCSI服务部署网络存储

下一篇: Can‘t set data directory suffix: WebView already initialized

推荐阅读