MySQL server internal secure data Directory Access

Source: Internet
Author: User
Tags file system log connect mysql query file permissions access mysql database

As a MySQL administrator, what you can do to maintain the security and integrity of your MySQL installation. In this article, we will discuss the following security-related issues in more detail:

Why is security important and what attacks should we be wary of?

What risks (internal security) do you face from users in the server host?

What risks (external security) do you face from clients that connect to the server on the network?

The MySQL administrator is responsible for securing the contents of the database so that records can only be accessed by strictly authenticated users. This includes internal security and external security.

Internal security concerns file system-level issues, such as protecting the MySQL data directory from users who have the machine account running the server. However, if the file permissions on the contents of the data directory are too arbitrary and someone can simply replace the files corresponding to those tables, internal security will not be a good way to ensure that the control of the authorization table for client access on the network is properly established.

External security concerns the client's external connections, such as preventing the MySQL server from being attacked by a network-incoming connection request for database content access. To establish a MySQL authorization table, they do not allow access to the database managed by the server (unless a valid name and password is provided).

This article provides guidance on issues that you should be aware of and how to prevent unauthorized access at both the internal and external levels.

The MySQL server provides a flexible permission system that is implemented through the authorization table in the MySQL database. You can set the contents of these tables to allow or deny database access to clients. This provides security for network access data that is not authenticated. However, if other users on the server host have direct access to the contents of the data directory, they will not be able to establish good security for the network accessing the data. Unless you know that you are the only person registered on a machine running a MySQL server, you need to be concerned about the likelihood that other users on that machine will have access to the data directory.

Here's what you want to protect:

Database files. It is obvious that you want to maintain the confidentiality of databases maintained by the server. The owner of the database usually takes into account the proprietary nature of the database content. Even if they do not consider it, the most important is to make the content of the database public, without causing those content to be compromised due to the low security of the database directory.

Log files. The general and update logs must be secure because they contain the query text. This is quite a concern because anyone with log file access can monitor transactions that occur in the database.

A more specific security concern with log files is that queries such as Grant and set PASSWORD are recorded in the log. The general and update log files contain sensitive query text, which includes passwords (MySQL uses password encryption, but this only applies to connections established after password settings). The procedure for setting up a password is contained in queries such as Grant, INSERT, or set PASSWORD, but these queries are recorded as plain text. If an attacker has read access to the log, he can find sensitive information simply by running grep on words such as grant or password in the log.

Obviously, you don't want other users on the server host to have write access to the data directory files, because then they can trample on state files or database tables. But read access is also dangerous. If the table file is readable, it is trivial to steal the file and let MySQL itself display the contents of the table in plain text. You can do this by following these steps:

1 Install your MySQL server on the server host, but use a different port, socket, and data file than the official server.

2 run mysql_install_db initialize your data directory. This will allow you to access the server as the root user of MySQL, so you will have full control over the server access mechanism. It also creates a test database.

3 Copy the corresponding file of the table you want to steal to the test subdirectory under the server data directory.


4) Start the crime server. You can access these tables at your own discretion. Show table from test shows that you have a backup of the stolen tables, and SELECT * will display the entire contents of any of these tables.

5 If it is worse, open the server's anonymous user account license so that anyone can connect to the server from anywhere to visit your test database. Now, you have released these stolen watches to the world.

1 2 Next page > full text reading tips: Try "←→" button, turn the page more convenient Oh!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.