1. Preface
MySQL is a fully networked Cross-platform relational database system and a distributed database management system with client/server architecture. The utility model has the advantages of strong function, simple use, convenient management, fast operation speed and strong security and reliability, and can be used in many languages to write programs to access the MySQL database, especially with PHP is a gold combination, which is widely used.
Since MySQL is a multi-platform database, its default configuration should be considered applicable in all circumstances, so it should be further secured in our own use environment. As a MySQL system administrator, we are responsible for maintaining the data security and integrity of the MySQL database system.
MySQL database security configuration must start from two aspects, system internal security and external network security, in addition, we will also brief programming to pay attention to some of the problems and some tips.
2. Internal security of the system
First of all, a brief description of the MySQL database directory structure. MySQL is installed and the Mysql_db_install script is run to create the data directory and initialize the database. If we install with a MySQL source package and the installation directory is/usr/local/mysql, then the data directory will generally be/usr/local/mysql/var. The database system consists of a series of databases, each containing a series of database tables. MySQL is using database name in the data directory to establish a database directory, each database table with the database table name as the file name, the extension is myd, myi, frm three files into the database directory.
MySQL's authorization table provides a flexible access control to the database, but if the local user has read access to the library files, the attacker can simply package the database directory and then copy it to their native data directory to access the stolen database. So MySQL Host security is the most important problem, if the host is not secure, the attacker control, then the security of MySQL can not talk about. The second is the security of data directories and data files, which is the problem of permission setting.
From the MySQL master station some old binary distributions, the 3.21.xx version of the Data directory property is 775, so very dangerous, any local users can read the data directory, so the database file is very insecure. In the 3.22.xx version of the data directory, the property is 770, this property is also a bit dangerous, local users can read and write, so the data file is not secure. 3.23.XX version of the data directory of the property is 700, this is better, only the user to start the database can read and write database files, to ensure the security of local data files.
If the user who started the MySQL database is MySQL, then the directories and files like the following are safe, please note the Data directory and the following attributes:
Shell>ls-l/usr/local/mysql
Total 40
Drwxrwxr-x 2 root root 4096 Feb 20:07 bin
Drwxrwxr-x 3 root root 4096 Feb 20:07 include
Drwxrwxr-x 2 root 4096 Feb 20:07 info drwxrwxr-x 3 root root 4096 Feb/20:07 lib Drwxrwxr-x 2 root 4096 Feb 20:07 libexec drwxrwxr-x 3 root 4096 Feb-20:07 man drwxrwxr-x 6 root root 4096 Feb/20:07 mysql-test R-x 3 root 4096 Feb 20:07 share drwxrwxr-x 7 root root 4096 Feb-20:07 sql-bench drwx------4 mysql mysql 4096 F EB 20:07 var
Shell>ls-l/usr/local/mysql/var
Total 8
drwx------2 mysql mysql 4096 Feb 20:08 MySQL
drwx------2 mysql mysql 4096 Feb 20:08 test
Shell>ls-l/usr/local/mysql/var/mysql
Total 104
-RW-------1 mysql mysql 0 Feb 20:08 columns_priv. MyD
-RW-------1 mysql mysql 1024 Feb 20:08 columns_priv. Myi
-RW-------1 mysql mysql 8778 Feb 20:08 columns_priv.frm
-RW-------1 MySQL mysql 302 Feb 20:08 db. MyD
-RW-------1 mysql mysql 3072 Feb 20:08 db. Myi
-RW-------1 mysql mysql 8982 Feb 20:08 db.frm
-RW-------1 mysql mysql 0 Feb 20:08 func. MyD
-RW-------1 mysql mysql 1024 Feb 20:08 func. Myi
-RW-------1 mysql mysql 8641 Feb 20:08 func.frm
-RW-------1 mysql mysql 0 Feb 20:08 host. MyD
-RW-------1 mysql mysql 1024 Feb 20:08 host. Myi
-RW-------1 mysql mysql 8958 Feb 20:08 host.frm
-RW-------1 mysql mysql 0 Feb 20:08 tables_priv. MyD
-RW-------1 mysql mysql 1024 Feb 20:08 tables_priv. Myi
-RW-------1 mysql mysql 8877 Feb 20:08 tables_priv.frm
-RW-------1 mysql mysql 428 Feb 20:08 user. MyD
-RW-------1 mysql mysql 2048 Feb 20:08 user. Myi
-RW-------1 mysql mysql 9148 Feb 20:08 user.frm
If the owner and attributes of these files are not the same, please amend them with the following two commands:
Shell>chown-r Mysql.mysql/usr/local/mysql/var
Shell>chmod-r Go-rwx/usr/local/mysql/var