Analysis of MySQL authorization principle

MySQL is a cross-platform open source relational database management system, is our commonly used most economical database, because of its small size, fast, the total cost of ownership, especially the characteristics of open source, more users get the most practical reality, many users in the application of the principle of authorization is not very understanding, Here we will resolve for you.

Server reboot situation

When the mysqld is started, all the authorization table contents are read into the memory and come into effect from then on.

Be immediately applied by the server

Modifications to the authorization table with GRANT, REVOKE, or set password are immediately noticed by the server.

Direct modification of Authorization form

If you manually modify the authorization form (using INSERT, UPDATE, and so on), you should execute a flush privileges statement or run Mysqladmin flush-privileges tell the server to reload the authorization form, or your changes will not take effect. Unless you reboot the server.

Impact on existing customer connections

When the server notices that the authorization table has been changed, existing customer connections have the following effects:

• Table and column permissions take effect on the customer's next request.

• Database permission changes take effect on the next use db_name command.

• Global permissions change and password changes take effect the next time a client connects.

Principle of authorization

No matter how careful it is inevitable in the user authorization to leave loopholes, I hope the following content can give you some help, you should generally abide by these rules.

Only the root user has the right to overwrite the authorization table

Do not grant authorization table overrides to users other than root (of course, if you can manage with another user instead of the root user to increase security). Because of this, the user can override the existing permissions by overwriting the authorization table. Create a security vulnerability.

In general, you may not make this mistake, but after installing the new distribution, the initial authorization form. This vulnerability exists and you may make a mistake if you do not understand the contents of the authorization table.

On Unix (Linux), after installing MySQL in accordance with the manual instructions, you must run the mysql_install_db script to build the MySQL database and initial permissions that contain the authorization table. On Windows, run the Setup program in the distribution to initialize the data directory and the MySQL database. Assume that the server is also running.

When you first install MySQL on a machine, the authorization table in the MySQL database is initialized like this:

• You can connect as root from the local host (localhost) without specifying a password. The root user has all the permissions (including administrative privileges) and can do anything. (By the way, MySQL Superuser and Unix superuser have the same name, they have nothing to do with each other.) )

• Anonymous access is granted to a database that the user can start with a local connection named Test and any name Test_. Anonymous users can do anything with the database, but without administrative privileges.

Generally, it is recommended that you delete anonymous user records:

Mysql> DELETE from user WHERE user= "";

Further, delete any anonymous users in other authorization tables, and the table with the User column has db, Tables_priv, and Columns_priv.

Also, set the password for the root user.

About user, password, and host settings

• Use passwords for all MySQL users.

Remember, if Other_user does not have a password, anyone can simply log in as any other person with Mysql-u Other_user db_name. For client/server applications, it is common practice for customers to specify any user name. Before you run it, you can change the password of all users by editing the mysql_install_db script, or just the password of MySQL root, like this:

shell> mysql-u Root MySQL

mysql> UPDATE user SET Password=password (' New_password ')

-> WHERE user= ' root ';

mysql> FLUSH privileges;