mysql 数据库管理中的安全问题(一)
从网上看到一些帖子,面试者被问到如何认识mysql数据库的安全问题。很多安全问题都是由于对账号管理不妥当造成的。 1 删除匿名账号 在mysql版本中,安装完mysql后,默认会有一个匿名账号,只有执行mysql命令就能登录上去。如下: 直接执行mysql 登录上数据库
从网上看到一些帖子,面试者被问到如何认识mysql数据库的安全问题。很多安全问题都是由于对账号管理不妥当造成的。
1 删除匿名账号
在mysql版本中,安装完mysql后,默认会有一个匿名账号,只有执行mysql命令就能登录上去。如下:
直接执行mysql 登录上数据库,进入test数据库下
[xkyx80@localhost ~]$ mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 488
Server version: 5.5.20-log Source distribution
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| test |
+--------------------+
2 rows in set (0.00 sec)
mysql> ues test;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ues test' at line 1
mysql> use test;
Database changed
mysql> show tables;
+-------------------+
| Tables_in_test |
+-------------------+
| gonghui2 |
| item |
| site |
| tbl_ad_monitor_ip |
| test |
| test2 |
| test_ |
| test_level |
| tx |
+-------------------+
9 rows in set (0.00 sec)
那么它具有的权限呢 ? 现在查看一下mysql下user用户表
mysql> select user();
+----------------+
| user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)
mysql> select * from mysql.user \G;
Host: localhost.localdomain
User:
Password:
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Repl_client_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
Create_tablespace_priv: N
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin:
authentication_string: NULL
这样普通用户即可登录mysql ,建大表等操作,建议删掉此账号,或者给此账号加密码。
2 给root账号设置口令
mysql 安装完毕,要给root 账号设定口令
[xkyx80@localhost ~]$ mysql -uroot
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 490
Server version: 5.5.20-log Source distribution
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> set password=password('密码');
3 设置安全的密码
1 密码设置的尽量复杂,带有字母、数字、特殊字符等
2 使用上保证安全,不被窃取,在登陆mysql时,使用交互式登陆方式,手动输入密码比较安全。
4 只赋予账号必须的权限,只需要增删改查,那就只赋予 select、update、insert、delete权限 ,权限赋予具体化,对用户赋予 all privilege权限是危险的。
from : 读书笔记 深入浅出mysql
下一篇: DOM基础教程之事件类型_基础知识