MySQL database authorization principles

This article describes how to assign appropriate permissions to users. several important principles are to assign users the minimum permissions they can only use, and try not to assign them to the user table that affects the entire database.

This article describes how to assign appropriate permissions to users. several important principles are to assign users the minimum permissions they can only use, and try not to assign them to the user table that affects the entire database.

This article describes how to assign appropriate permissions to users. several important principles are to assign users the minimum permissions they can only use, and do not assign permissions to the user table of the entire database as far as possible. Some permissions are dangerous, such as FILE, GRANT, and PROCESS. The administrator must use them with caution.

Server restart

When mysqld is started, all authorization table content is read into the memory and takes effect from that time.

Immediately applied by the server

Modifications made to the authorization table using GRANT, REVOKE, or set password will be immediately noticed by the server.

Directly modify the authorization table

If you manually modify the authorization table (using INSERT, UPDATE, and so on), you should execute a flush privileges statement or run mysqladmin flush-privileges to tell the server to load the authorization table again, otherwise, your change will not take effect unless you restart the server.

Impact on existing customer connections

When the server notices that the authorization table has been changed, the existing customer connection has the following impact:

· The table and column permissions take effect upon the customer's next request.

· The database permission change takes effect in the next USE db_name command.

· Changes in global permissions and passwords take effect the next time a customer connects.

Authorization principles

No matter how careful you are, you will inevitably leave vulnerabilities when authorizing users. I hope the following content can help you. You should generally abide by these rules.

Only the root user has the permission to override the authorized table.

Do not grant the permission to rewrite the authorization table to other users except the root user (of course, if you can use another user instead of the root user for management to increase security ). In this way, you can overwrite the existing permissions by modifying the authorization table. Generate security vulnerabilities.

In general, you may not make this mistake, but after installing the new distribution, the initial authorization table. This vulnerability exists. If you do not know the content of the authorization table, you may make mistakes.

On Unix (Linux), after installing MySQL according to instructions in the manual, you must run the mysql_install_db script to create the mysql database and initial permissions containing the authorization table. On Windows, run the Setup program in the distribution to initialize the data directory and mysql database. It is assumed that the server is also running.

When you first install MySQL on a machine, the authorization table in the mysql database is initialized as follows:

· You can connect to the local host as root without specifying a password. Root users have all permissions (including management permissions) and can do anything. (By The Way, MySQL Super Users have the same name as Unix Super Users, and they have nothing to do with each other .)

· Anonymous Access authorized users can connect to a database named test and any database named test _ locally. Anonymous Users can do anything to the database, but have no management permission.