Security of new MySQL installation _ MySQL

This chapter describes the security of new MySQL installations. This chapter describes the responsibilities of the MySQL administrator to keep MySQL running normally. These responsibilities include ensuring that the server runs as high as possible, setting user accounts so that clients can access the server, maintaining log files, and performing database backup. To achieve higher performance, the administrator can run multiple servers or modify the operation parameters of the servers. Finally, because MySQL is in a rapidly developing state, the administrator must be able to determine how to upgrade MySQL. Other important management problems will be introduced in chapter 12th "security" and Chapter 13th "database maintenance and repair.

Several useful programs for MySQL administrators are included in these chapters:

Mysqladmin performs various management operations.

Safe_mysqld and mysql. server are scripts for starting MySQL server mysqld.

Mysqldump is used for database backup and copy operations.

Myisamchk and isamchk are used for table integrity check and repair operations.

For additional information about these programs, see Appendix E "MySQL program reference ".

You may have just installed MySQL as described in "obtain and install software" in Appendix. In this case, you need to set a password for the MySQLroot user-for a new MySQL installation, the server is running with insecure permissions. Assume that you have initialized the data directory and the mysql database that contains the authorization table. In UNIX, you can run the mysql_install_db script. In Windows, the data directory and mysql database are initialized by running the Setup program in the server distribution package. I also assume that the server is running.

When I first installed MySQL on a machine, the initial permissions of the mysql database authorization table are as follows:

You can use root to connect to the local host without any password. Root users have all the permissions (including management permissions), so they can do a lot (by the way, both MySQL superusers and UNIX superusers have the root name, this is a coincidence. They have no relationship with each other)

Anonymous access is granted to the user connected from the local host. the host has a database named test or any database starting with 'Te s t. Anonymous users can use such a database to do anything, but have no management permission.

No matter whether the connected user specifies the localhost host name or the actual host name, the connection from the local host to the server is allowed. For example, if the server is on pit-viper.snke.net, the client on the host can connect to the server without a password, so that the test database can be used using one of the following statements:

% Mysql-h localhost test
% Mysql-h pit-viper.snake.net test

You can even connect to MySQL as a root user without a password. This fact shows that the initial installation is insecure. Therefore, one of the initial actions of the MySQL administrator should be to set a password for the root user. Then, you need to instruct the server to reload the authorized table to let the server know the changes (when the server starts, it loads these tables into the memory, and they have been changed without being realized. If so, you must explicitly tell it to re-read these tables ).

For versions later than MySQL3.22, you can use the mysqla d m I n program to set a password as follows. the password you selected can be used to replace "your password" in the following command ":

% Mysqladmin-uroot password "your password"

For any version of MySQL, you can use the mysql program and directly update the user-authorized table in the mysql database:

% Mysql-uroot mysql> UPDATE user SET Password = PASSWORD ("your password ")

-> WHREE User = "root ";

If you have an old version of MySQL, you can use mysql and an UPDATE statement, which also includes the Windows shared software version.

After setting the password, check whether you need to run the following command to instruct the server to re-load the authorization table:

% Mysqladmin-uroot status

If the server still allows connection as a root user without a password, it should be notified to re-read the authorized table (MySQL and later versions allow mysqladmin flush. privileges command and f l u s h privileges SQL statement to reload the table ):

% Mysqladmin-uroot reload

After setting the root password (and re-load the authorized table, if necessary), you must specify a new password when connecting to the server as root.