mysql| Safety | issues | Experience two days ago while helping a friend organize his home page space, a little bit about MySQL that might be overlooked by everyone: we know that after MySQL is installed, it automatically creates a root user and an anonymous user with the initial password null, for the former, Many references will remind you to set a password in a timely manner, and ignore the latter, presumably because the latter is set to be used only for the sake of the machine.
But if your MySQL is to be provided to the Web server for database services, the cost of ignoring this anonymous user can be very heavy, because by default, this anonymous user on the localhost almost have the same privileges as root, this time, if your client has upload script files, The ability of a script file to perform MySQL database operations, such as PHP that allows you to manipulate MySQL, may have changed your MySQL beyond recognition:
Today, I helped my friends to clean up his home page space, trying to write a very simple PHP file to execute the SQL statement upload, which user,password in the connection word I tried to empty, host=localhost, found that my SQL statement can be executed, So the select * from Mysql.user to see the user rights, found that the user in localhost permissions are very high, even grant_priv have, (see, you will find under the root of two lines of user name, the password is empty, but the permissions are y\n, This is the anonymous user. Local, remote permissions set)
So I tried to use this PHP page to create a new user, and Grant gave him a high level of authority to succeed so that I could use this new user to connect to MySQL server on this site via my native MySQL client, With this newly established user's management authority to this website's MySQL server management, sees oneself can carry on this easy to obtain the thorough database operation, how can I dare to put the friend's homepage space sensitive material into this MySQL server?
Recommendations for improvement:
1, after the installation of MySQL, not only to change the root password, but also to change the anonymous user's password, the method is similar to the way to change the root password:
mysql> UPDATE User Set Password=password (' Yournewpassword ') where user= ';
Mysql>flush privileges;
2, if not necessary, delete this anonymous user, so that all people to use MySQL must provide a username, even if there is a problem later, it is easy to find the source of the problem.
3. In addition to the root user, other users, including anonymous users (if no deletion of this user) should not have grant permissions to prevent uncontrolled spread of administrative rights.
4, to give users the right to Update\delete\alert\create\drop, should be limited to a specific database, especially to avoid ordinary customers have to do the operation of the MySQL database permissions, or your system settings are likely to be replaced.
5, check the Mysql.user table, eliminate unnecessary users Shutdown_priv,reload_priv,process_priv and File_priv permissions, these permissions may leak more server information including non-MySQL other information out.
6, if you do not intend to let your users use the MySQL database, in the provision of such as PHP script language, reset or compile your PHP, to cancel their default support for MySQL.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.