分类: Mysql/postgreSQL
2008-02-27 17:06:20
Mysql 核对用户时,采取最精确匹配的方法。一般先检查user表,而后db and host,最后table- or column-level privileges。
* 安装后要给root加密码,默认是没有的。
* 删除匿名账户
mysql_install_db是个shell脚本,有空可以研究一下。它创建了2个匿名的用户。主机值分别是localhost和 %。删除方法:
delete from user where User='';
delete from db where User='';
FLUSH PRIVILEGES
另外账号多了也容易混淆。
* 限制特权
尤其是FILE, PROCESS, and WITH GRANT OPTION.
* 密码和加密
其他需要明文显示出用户名和密码的,建议使用:MD5() or ENCRYPT()
* 不要使用root用户运行mysqld。
针对类unix系统,这样可以限制mysql server对文件系统的访问。
* 操作系统的访问和特权
只有指定的用户可以运行mysqld,mysqladmin, mysqldump, and mysqlhotcopy等。访问MySQL data等。
其他要过滤用户数据以及一下:
* 使用SSL
服务器和客户端使用SSL (Secure Sockets Layer)。首先要有OpenSSL库,然后启动mysql,使用--with-vio and --with-ssl,并执行命令行配置。Mysql手册中有实例脚本。
然后要求客户端:
grant all on employee.*
to testuser identified by 'password'
require ssl;
Privilege System
Stage 1: Check whether user@host is allowed to connect with this password.
Stage 2: Check each query to see whether this user@host has sufficient privilege. Check the user and host tables first, then db, and then tables_priv and columns_priv.
User table rows with more specific hosts are used in preference to those with less specific hosts.
Security Guidelines
Make sure you set a root password for MySQL.
Delete anonymous accounts; they allow access to strangers and may keep out legitimate users.
Be very careful about granting the privileges FILE, PROCESS, and WITH GRANT OPTION.
Encrypt application-level passwords with MD5() or CRYPT() rather than PASSWORD().
Don't run mysqld as the Unix root user. Create a low-privilege user specifically to run mysqld.
Limit access to mysqld to the MySQL low-privilege user.
Limit access to programs and scripts as necessary to the user. Use the principle of least privilege: Give users access only if they really need it!
Limit access to the data directory to the MySQL user.
Never trust data directly from the user. Always filter it in your application-level logic.
Turn on SSL connections if encrypted connections are required.
Remember to watch the physical security of your MySQL server!
chinaunix网友2008-02-27 17:07:29
1: Which table in the mysql database is checked to see whether a user may connect? tables_priv db columns_priv user 2: Which table is checked first to see whether a user may execute any particular query? user host db tables_priv 3: If MySQL finds multiple rows in the user table with the same username, which row is used for authentication? The row with the most specific host value. The row with the most general host value. Any row that has the right passwo
