需求分析:
- root密码在多个地方出现过,比如分享的技术文档,邮件,截图.
- MySQL默认安装的管理员帐号名称root,众所周知.为了增强安全性,需要更换一个用户名称,例如换成superuser,或者有公司特色的.例如xxx_admin.
应对策略:
- 首先创建一个与root用户权限一样的用户.
GRANT ALL PRIVILEGES ON *.* TO 'x_admin'@'127.0.0.1' IDENTIFIED BY 'xxxx'; - 删除默认的root用户.
drop user root@'127.0.0.1';
drop user root@'localhost';
drop user root@'::1';
注意问题:
- 视图
曾经用root帐号为DEFINER的视图,如果将root删除,将提示该视图无法使用,没有权限.所以要注意提前查看是否存在视图,存在的话,需要修改该视图的DEFINER属性.
修改视图,是瞬间就能完成的操作,除非该视图被其他sql语句占用,处于锁定的状态.
- 查看视图
- select TABLE_SCHEMA, TABLE_NAME, VIEW_DEFINITION, DEFINER from information_schema.VIEWS;
- 修改视图(非root的暂不修改)
- ALTER DEFINER=`x_admin`@`127.0.0.1` SQL SECURITY DEFINER VIEW v_name AS ...
- 存储过程/函数
情况与视图类似
- 查看存储过程/视图
- select ROUTINE_SCHEMA,ROUTINE_NAME,ROUTINE_TYPE,DEFINER from information_schema.ROUTINES;
- 或者
- select db,name,type,definer from mysql.proc;
- 修改存储例程,可直接修改mysql.proc
- update mysql.proc set definer='x_admin@127.0.0.1' where db='db_name';
- 如果修改所有库
- update mysql.proc set definer='x_admin@127.0.0.1' ;
- 用root用户连接MySQL的脚本
此类问题比较好解决,可单独为脚本创建帐号用来执行脚本中指定的操作,该用户名可用script_,或者脚本名命名.权限够用就行,不要分配过多的权限. - 方法:一个增加用户的脚本.(配合批量执行)
- #!/usr/bin/python
- #-*- coding: UTF-8 -*-
- # ########################################################################
- # This program
- # Version: 2.0.0 (2012-10-10)
- # Authors: lianjie.ning@qunar.com
- # History:
- # ########################################################################
- import os
- import socket
- import subprocess
- import sys
- import traceback
- from ConfigParser import ConfigParser
- class Finger(object):
- 'finger.py'
- def __init__ (self):
- print '---- %s, %s' % (socket.gethostname(), self.__doc__)
-
- def load_config (self, file="finger.ini"):
- if not os.path.exists(file):
- print file,"is not exists, but is created, please fix it"
- temp_ini = '''[conn_db]
- login_pwd =
- exec_sql =
- '''
- open(file, 'w').write(temp_ini)
- os.chmod(file, 0600)
- sys.exit()
- config = ConfigParser()
- config.read(file)
- if config.has_section('conn_db') is True:
- if config.has_option('conn_db', 'login_pwd') is True:
- login_pwd = config.get('conn_db', 'login_pwd')
- if config.has_option('conn_db', 'exec_sql') is True:
- exec_sql = config.get('conn_db', 'exec_sql')
- return (login_pwd, exec_sql)
-
- def grant_user(self, login_pwd, exec_sql):
- if os.path.exists('/usr/local/bin/mysql'):
- mysql = '/usr/local/bin/mysql'
- elif os.path.exists('/usr/bin/mysql'):
- mysql = '/usr/bin/mysql'
- elif os.path.exists('/bin/mysql'):
- mysql = '/bin/mysql'
- else:
- print "command not fount of mysql"
- sys.exit()
- user = 'xxxx'
- conn_port = [3306,3307,3308,3309,3310]
- for i in conn_port:
- ss = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- address = ('127.0.0.1', int(i))
- status = ss.connect_ex(address)
- ss.settimeout(3)
- ss.close()
- if status == 0:
- conn_mysql = '%s -u%s -p%s -h127.0.0.1 -P%d -N -s -e"%s"' % (mysql, user, login_pwd, i, exec_sql)
- p = subprocess.call(conn_mysql, shell=True, stdout=open("/dev/null"))
- if p == 0:
- print "---- checking port: %s is NORMAL" % i
- else:
- print "---- checking prot: %s is ERROR" % i
- if __name__ == '__main__':
- try:
- process = Finger()
- (login_pwd, exec_sql) = process.load_config()
- process.grant_user(login_pwd, exec_sql)
- except Exception, e:
- print str(e)
- traceback.print_exc()
- sys.exit()
阅读(1131) | 评论(1) | 转发(0) |
