對於任何一種數據庫來說,安全問題都是非常重要的。如果數據庫出現安全漏洞,輕則數據被竊取,重則數據被破壞,這些后果對於一些重要的數據庫都是非常嚴重的。下面來從操作系統和數據庫兩個層對MySQL的安全問題進行討論。
操作系統相關的安全問題
常見的操作系統安全問題主要出現在MySQL的安裝和啟動過程中.
1.嚴格控制操作系統賬號和權限
在數據庫服務器上要嚴格控制操作系統的賬號和權限,比如:
- 鎖定mysql用戶
- 其他任何用戶都采取獨立的賬號登錄,管理員通過mysql專有用戶管理MySQL,或者通過root su到mysql用戶下進行管理。
- mysql用戶目錄下,除了數據文件目錄,其他文件和目錄屬主都改為root
2.盡量避免以root權限運行MySQL
MySQL安裝完畢后,一般會將數據目錄屬主設置為mysql用戶,而將MySQL軟件目錄的屬主設置為root,這樣做的目的是當使用mysql啟動數據庫時,可以防止任何具有FILE權限的用戶能夠用root創建文件。而如果使用root用戶啟動數據庫,則任何具有FILE權限的用戶都可以讀寫root用戶的文件,這樣會給系統造成嚴重的安全隱患。
3.防止DNS欺騙
創建用戶時,host可以指定域名或者IP地址。但是,如果指定域名,就可能帶來如下安全隱患: 如果域名對應的IP地址被惡意修改,則數據庫就會被惡意的IP地址進行訪問,導致安全隱患。
數據庫相關的安全問題
常見的數據庫問題大多數是由於賬號的管理不當造成的。應該加強對賬號管理的安全意識。
1.刪除匿名賬號
在某些版本的中,安裝完畢MySQL后,會自動安裝一個空賬號,此賬號具有對test數據庫的全部權限,普通用戶只需要執行mysql命令即可登錄MySQL數據庫,這個時候默認使用了空用戶,可以在test數據庫里面做各種操作,比如可以創建一個大表,占用大量磁盤空間,這樣給系統造成了安全隱患。
2.給root賬號設置口令
MySQL安裝完畢后,root默認口令為空,需要馬上修改口令
set password=password('newpassword');
3.設置安全密碼
密碼的安全體現在以下兩個方面:
- 設置安全的密碼,建議使用6位以上字母、數字、下划線和一些特殊字符組合的而成的字符串;
- 使用上的安全,使用密碼期間盡量保證使用過程安全,不會被別人竊取。
第一點就不用說了,越長越復雜越沒有規律的密碼越安全。對於第二點,可以總結一下,在日常工作中,使用密碼一般是采用以下幾種方式。
(1)直接將密碼寫在命令行中。
mysql -uroot -p123
(2)交互式方式輸入密碼。
mysql -uroot -p
(3)將用戶名和密碼寫在配置文件里面,連接的時候自動讀取,比如應用連接數據庫或者執行一些批處理腳本。對於這種方式,MySQL供了一種方法,在my.cnf里面寫入連接信息。
[client] user=username password=password
然后對配置文件進行嚴格的權限限制,例如:
chomod +600 my.cnf
以上是3種常見的密碼使用方式。很顯然,第1種最不安全,因為它將密碼寫成為明文;第2種比較安全,但是只能使用在交互的界面下;第3種比較方便,但是需要將配置文件設置嚴格的存取權限,而且任何只要可以登錄操作系統的用戶都可能自動登錄,存在一定的安全隱患。
第3種方法通常使用不多,下面舉一個例子
(1)輸入mysql無法登錄。
[root@iZ28dr6w0qvZ ~]# mysql ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
(2)修改配置文件,加入連接信息
[root@iZ28dr6w0qvZ ~]# vim /etc/my.cnf ... [client] #password = your_password user=cqh password=123
(3)重啟數據庫后,輸入mysql
[root@iZ28dr6w0qvZ ~]# service mysqld restart Shutting down MySQL... SUCCESS! Starting MySQL.. SUCCESS! [root@iZ28dr6w0qvZ ~]# mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1 Server version: 5.5.37-log MySQL Community Server (GPL) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> select current_user(); +----------------+ | current_user() | +----------------+ | cqh@localhost | +----------------+ 1 row in set (0.02 sec)
4.只授予賬號必須的權限
只需要賦予普通用戶必須的權限,比如:
grant select,insert,update,delete on tablename to 'username'@'hostname';
在很多情況下,DBA由於圖方便,而經常賦予用戶all privileges權限,這個all privileges到底具體包含哪些權限呢?來看下面的例子:
mysql> select * from db where user='cqh'\G
*************************** 1. row ***************************
Host: localhost
Db: test
User: cqh
Select_priv: Y
Insert_priv: Y
Update_priv: Y
Delete_priv: Y
Create_priv: Y
Drop_priv: Y
Grant_priv: N
References_priv: Y
Index_priv: Y
Alter_priv: Y
Create_tmp_table_priv: Y
Lock_tables_priv: Y
Create_view_priv: Y
Show_view_priv: Y
Create_routine_priv: Y
Alter_routine_priv: Y
Execute_priv: Y
Event_priv: Y
Trigger_priv: Y
1 row in set (0.00 sec)
all privileges里面的權限,遠遠超過了我們一般應用所需要的權限。而且,有些權限如果誤操作,將會產生非常嚴重的后果,比如drop_priv等。因此,用戶權限的時候越具體,則對數據庫越安全。
5.除root外,任何用戶不應有mysql庫user表的存取權限
由於MySQL中可以通過更改mysql數據庫的user表進行權限的增加、刪除、變更等操作,因此,除了root以外,任何用戶都不應該擁有對user表的存取權限(SELECT、UPDATE、INSERT、DELETE等),造成系統的安全隱患。下例對普通用戶cqh授予user表的存取權限,看看會對系統產生了怎么樣的安全隱患。
(1)創建普通用戶chenqionghe,擁有對mysql數據庫中的user表的各種權限。
[root@iZ28dr6w0qvZ ~]# mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 103 Server version: 5.5.37-log MySQL Community Server (GPL) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> grant select,update,insert,delete on mysql.user to chenqionghe@localhost; Query OK, 0 rows affected (0.00 sec)
(2)用chenqionghe來更新root權限。
[root@iZ28dr6w0qvZ ~]# mysql -uchenqionghe
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 106
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use mysql;
Database changed
mysql>
mysql> update user set password=password('abcd') where user='root' and host='localhost';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0
(3)當數據庫重啟或者root刷新權限表后,root登錄時密碼已經被更改。
[root@iZ28dr6w0qvZ ~]# mysql -uroot -pabcd Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 Server version: 5.5.37-log MySQL Community Server (GPL) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
6.不要把FILE、PROCESS或SUPER權限授予管理員以外的賬號
FILE權限主要以下作用:
將數據庫的信息通過SELECT ...INTO OUTFILE...寫到服務器上有寫權限的目錄下,作為文本格式存放。具有權限的目錄也就是啟動MySQL時的用戶權限目錄。
可以將有讀權限的文本文件通過LOAD DATA INFILE...命令寫入數據表,如果這些表中存放了很重要的信息,將對系統造成很大的安全隱患。
在例中詳細描述了FILE權限可能造成的隱患。
(1)連接數據庫並創建測試表t。
[root@iZ28dr6w0qvZ ~]# mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 8 Server version: 5.5.37-log MySQL Community Server (GPL) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use test; Database changed mysql> create table t (name varchar(500)); Query OK, 0 rows affected (0.02 sec)
(2)將/etc/password文件加載到表t中
mysql> load data infile '/etc/passwd' into table t; Query OK, 23 rows affected (0.01 sec) Records: 23 Deleted: 0 Skipped: 0 Warnings: 0
(3)查看t的內容
mysql> select * from t; +----------------------------------------------------------------------+ | name | +----------------------------------------------------------------------+ | root:x:0:0:root:/root:/bin/bash | | bin:x:1:1:bin:/bin:/sbin/nologin | | daemon:x:2:2:daemon:/sbin:/sbin/nologin | | adm:x:3:4:adm:/var/adm:/sbin/nologin | | lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin | | sync:x:5:0:sync:/sbin:/bin/sync | | shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown | | halt:x:7:0:halt:/sbin:/sbin/halt | | mail:x:8:12:mail:/var/spool/mail:/sbin/nologin | | uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin | | operator:x:11:0:operator:/root:/sbin/nologin | | games:x:12:100:games:/usr/games:/sbin/nologin | | gopher:x:13:30:gopher:/var/gopher:/sbin/nologin | | ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin | | nobody:x:99:99:Nobody:/:/sbin/nologin | | vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin | | ntp:x:38:38::/etc/ntp:/sbin/nologin | | saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin | | postfix:x:89:89::/var/spool/postfix:/sbin/nologin | | sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin | | nscd:x:28:28:NSCD Daemon:/:/sbin/nologin | | www:x:500:500::/alidata/www:/sbin/nologin | | mysql:x:501:501::/home/mysql:/sbin/nologin
這樣,重要的用戶信息/etc/passwd內容將被寫入表t中,造成安全隱患。
PROCESS權限能被用來執行“show processlist”命令,查看當前所有用戶執行的查詢的明文文本,包括設定或改變密碼的查詢。在默認情況下,每個用戶都可以執行“show processlist”命令,但是只能查詢本用戶的進程。因此,對PROCESS權限管理不當,有可能會使得普通用戶能夠看到管理員執行的命令。
下例中對普通用戶賦予了PROCESS權限,來看看會造成什么安全隱患。
(1)將PROCESS權限授予給普通用戶:
[root@iZ28dr6w0qvZ ~]# mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 26 Server version: 5.5.37-log MySQL Community Server (GPL) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show processlist; +----+------+-----------+------+---------+------+-------+------------------+ | Id | User | Host | db | Command | Time | State | Info | +----+------+-----------+------+---------+------+-------+------------------+ | 2 | root | localhost | NULL | Sleep | 53 | | NULL | | 26 | root | localhost | NULL | Query | 0 | NULL | show processlist | +----+------+-----------+------+---------+------+-------+------------------+ 2 rows in set (0.00 sec) mysql> grant process on *.* to 'cqh'@'localhost'; Query OK, 0 rows affected (0.00 sec)
(2)鎖定表user,可以讓進程阻塞,以方便用戶看到進程內容:
mysql> lock table user read; Query OK, 0 rows affected (0.00 sec)
(3)打開另外一個session,用root執行修改密碼操作,此時因為user表被鎖定,此進程被阻塞掛起
[root@iZ28dr6w0qvZ ~]# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 27
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> set password=password('123');
(4)打開第3個session,用cqh登錄,執行show processlist語句:
[root@iZ28dr6w0qvZ ~]# mysql -ucqh
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 31
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show processlist;
+----+------+-----------+-------+---------+------+------------------------------+------------------------------+
| Id | User | Host | db | Command | Time | State | Info |
+----+------+-----------+-------+---------+------+------------------------------+------------------------------+
| 26 | root | localhost | mysql | Sleep | 20 | | NULL |
| 27 | root | localhost | NULL | Query | 15 | Waiting for table level lock | set password=password('123') |
| 31 | cqh | localhost | NULL | Query | 0 | NULL | show processlist |
+----+------+-----------+-------+---------+------+------------------------------+------------------------------+
3 rows in set (0.00 sec)
可以發現,cqh顯示的進程中清楚地看到了root的修改密碼操作,並看到了明文的密碼,這將對系統造成嚴重的安全隱患。
SUPER權限能夠執行kill命令,終止其他用戶進程。下面例子中,普通用戶擁有了SUPER權限后,便可以任意kill任何用戶的進程。
(1)cqh登錄后想kill掉root修改密碼進程(進程號27)
mysql> show processlist;
+----+------+-----------+-------+---------+------+------------------------------+------------------------------+
| Id | User | Host | db | Command | Time | State | Info |
+----+------+-----------+-------+---------+------+------------------------------+------------------------------+
| 26 | root | localhost | mysql | Sleep | 20 | | NULL |
| 27 | root | localhost | NULL | Query | 15 | Waiting for table level lock | set password=password('123') |
| 31 | cqh | localhost | NULL | Query | 0 | NULL | show processlist |
+----+------+-----------+-------+---------+------+------------------------------+------------------------------+
3 rows in set (0.00 sec)
mysql> kill 27;
ERROR 1095 (HY000): You are not owner of thread 27
(2)kill失敗后,root將super權限賦予cqh;
mysql> grant super on *.* to cqh@localhost; Query OK, 0 rows affected (0.00 sec) mysql> show grants for cqh@localhost; +--------------------------------------------------+ | Grants for cqh@localhost | +--------------------------------------------------+ | GRANT PROCESS, SUPER ON *.* TO 'cqh'@'localhost' | +--------------------------------------------------+ 1 row in set (0.00 sec)
(3)重新kill root的進程成功:
[root@iZ28dr6w0qvZ ~]# mysql -ucqh
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 40
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show processlist;
+----+------+-----------+-------+---------+------+------------------------------+------------------------------+
| Id | User | Host | db | Command | Time | State | Info |
+----+------+-----------+-------+---------+------+------------------------------+------------------------------+
| 26 | root | localhost | mysql | Sleep | 20 | | NULL |
| 27 | root | localhost | NULL | Query | 15 | Waiting for table level lock | set password=password('123') |
| 31 | cqh | localhost | NULL | Query | 0 | NULL | show processlist |
+----+------+-----------+-------+---------+------+------------------------------+------------------------------+
3 rows in set (0.00 sec)
mysql> kill 27;
Query OK, 0 rows affected (0.00 sec)
從上面的例子中,可以看到FILE、PROCESS、SUPER三個管理權限可能會帶來的安全隱患,因此除了管理員外,不要把這些權限賦予給普通用戶。
7.LOAD DATA LOCAL帶來的安全問題
LOAD DATA默認讀的是服務器上的文件,但是加上LOCAL參數后,就可以將本地具有訪問權限的文件加載到數據庫中。這在在帶來方便的同時,可帶來了以下安全問題。
可以任意加載本地文件到數據庫。
在Web環境中,客戶從Web服務器連接,用戶可以使用LOAD DATA LOCAL語句來讀取Web服務器進程在讀訪問權限的任何文件(假定用戶可以運行SQL服務器的任何命令)。在這種環境中,MySQL服務器的客戶實際上的是Web服務器,而不是連接Web服務器的用戶運行的程序。
解決的方法是,可以用--local-infile=0選項啟動mysqld從服務器禁用所有LOAD DATA LOCAL命令。
對於mysql命令行客戶端,可以通過指定--local-infile[=1]選項啟用LOAD DATA LOCAL,或通過--local-infile=0選項禁用。類似地,對於mysqlimport,--local or -L選項啟用本地文件裝載。在任何情況下,成功進行本地裝載需要服務器啟用相關選項。
8.DROP TABLE命令並不收回以前的相關訪問權限
DROP表的時候,其他用戶對此表的權限並沒有被收回,這樣導致重新創建同名的表時,以前其他用戶對此表的權限會自動自動賦予,進而產生權限外流。因此,在刪除表時,要同時取消其他用戶在此表上的相應權限。
下面的例子說明了不收回相關訪問授權的隱患。
(1)用root創建用戶cqh,授權test下所有表的select權限:
mysql> grant select on test.* to cqh@localhost; Query OK, 0 rows affected (0.00 sec) mysql> show grants for cqh@localhost; +-----------------------------------------------+ | Grants for cqh@localhost | +-----------------------------------------------+ | GRANT USAGE ON *.* TO 'cqh'@'localhost' | | GRANT SELECT ON `test`.* TO 'cqh'@'localhost' | +-----------------------------------------------+ 2 rows in set (0.00 sec)
(2)cqh登錄,測試權限:
[root@iZ28dr6w0qvZ ~]# mysql -ucqh Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 287 Server version: 5.5.37-log MySQL Community Server (GPL) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use test; Database changed mysql> show tables; +----------------+ | Tables_in_test | +----------------+ | menu | | salary | | t | | t1 | | t12 | | t2 | +----------------+ 6 rows in set (0.00 sec)
(3)root登錄,刪除表t12:
[root@iZ28dr6w0qvZ ~]# mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 288 Server version: 5.5.37-log MySQL Community Server (GPL) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use test; Database changed mysql> drop table t12; Query OK, 0 rows affected (0.00 sec)
(4)cqh登錄,再次測試權限:
[root@iZ28dr6w0qvZ ~]# mysql -ucqh Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 290 Server version: 5.5.37-log MySQL Community Server (GPL) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use test; Database changed mysql> show tables; +----------------+ | Tables_in_test | +----------------+ | menu | | salary | | t | | t1 | | t2 | +----------------+ 5 rows in set (0.00 sec)
(5)此時t12表已經看不到了。
mysql> show grants for cqh@localhost; +-----------------------------------------------+ | Grants for cqh@localhost | +-----------------------------------------------+ | GRANT USAGE ON *.* TO 'cqh'@'localhost' | | GRANT SELECT ON `test`.* TO 'cqh'@'localhost' | +-----------------------------------------------+ 2 rows in set (0.00 sec)
權限仍然顯示對test下所有表的有SELECT權限(安全漏洞)
(6)root再次登錄,創建表t12:
[root@iZ28dr6w0qvZ ~]# mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 292 Server version: 5.5.37-log MySQL Community Server (GPL) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use test; Database changed mysql> create table t12(id int); Query OK, 0 rows affected (0.03 sec)
(7)cqh登錄,對t1權限依舊存在:
[root@iZ28dr6w0qvZ ~]# mysql -ucqh Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 293 Server version: 5.5.37-log MySQL Community Server (GPL) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use test; Database changed mysql> show tables; +----------------+ | Tables_in_test | +----------------+ | menu | | salary | | t | | t1 | | t12 | | t2 | +----------------+ 6 rows in set (0.00 sec)
因此,對表做刪除后,其他用戶對此表的權限不會自動收回,一定要記住手工收回。
9.使用SSL
SSL(Secure Socket Layer,安全套接字層)是一種安全傳輸的協議,最初Netscape公司所開發,用以保障在Internet上數據傳輸之安全,利用 數據加密(Encryption)技術,可確保數據在網絡上傳輸過程中不會被截取及竊聽。
SSL協議提供的服務主要有:
(1)認證用戶和服務器,確保數據發送到正確的客戶機和服務器;
(2)加密數據以防止數據中途被竊取;
(3)維護數據的完整性,確保數據在傳輸過程中不被改變。
在MySQL中,要想使用SSL進行安全傳輸,需要在命令行中或選項文件中設置“--ssl”選項。
對於服務器,“ssl”選項規定該服務器允許SSL連接。對於客戶端端程序,它允許客戶使用SSL連接。對於客戶端程序,它允許客戶端用SSL連接服務器。單單該選項不足以使用SSL連接。還必須指定--ssl-ca、--ssl-cert和--ssl-key選項。如果不想啟用SSL,可以將選項指定為--skip-ssl或--ssl=0。
請注意,如果編譯的服務器或客戶端不支持SSL,則使用普通的示加密的連接。
確保使用SSL連接的安全方式是,使用含REQUIRE SSL子句的GRANT語句在服務器上創建一賬戶,然后使用該賬戶來連接服務器,服務器和客戶端均應啟用SSL支持。下面例子創建了一個含REQUIRE SSL子句的賬號:
mysql> grant select on *.* to cqh identified by '123' REQUIRE ssl; Query OK, 0 rows affected (0.00 sec)
- --ssl-ca=file_name 含可信的SSL CA的清單的文件的路徑
- --ssl-cert=file_name SSL證書文件名,用於建立安全連接
- --ssl-key=file_name SSL密鑰文件名,用於建立 安全連接
10.如果可能,給所有用戶加上訪問IP限制
對數據庫來說,我們希望客戶端過來的連接都是安全的,因此,就很有必要在創建用戶的時候指定可以進行連接的服務器IP或者HOSTNAME,只有符合授權的IP或者HOSTNAME才可以進行數據庫的訪問。
11.REVOKE命令的漏洞
當用戶多次賦予權限后,由於各種原因,需要將此用戶的權限全部取消,此時,REVOKE命令可能並不會按照我們的意願執行,來看看下面的例子。
(1)連續賦予用戶兩次權限,其中,第2次是對所有數據庫的所有權限。
mysql> grant select,insert on test.* to cqh@localhost; Query OK, 0 rows affected (0.00 sec) mysql> grant all privileges on *.* to cqh@localhost; Query OK, 0 rows affected (0.00 sec) mysql> show grants for cqh@localhost; +-------------------------------------------------------+ | Grants for cqh@localhost | +-------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO 'cqh'@'localhost' | | GRANT SELECT, INSERT ON `test`.* TO 'cqh'@'localhost' | +-------------------------------------------------------+ 2 rows in set (0.00 sec)
(2)此時,需要取消用戶的所有權限。
mysql> revoke all privileges on *.* from cqh@localhost; Query OK, 0 rows affected (0.00 sec)
(3)我們很可能以為,此時用戶已經沒有任何權限了,而不會再去查看他的權限表。而實際上,此時的用戶依然擁有test上的SELECT和INSERT權限。
mysql> show grants for cqh@localhost; +-------------------------------------------------------+ | Grants for cqh@localhost | +-------------------------------------------------------+ | GRANT USAGE ON *.* TO 'cqh'@'localhost' | | GRANT SELECT, INSERT ON `test`.* TO 'cqh'@'localhost' | +-------------------------------------------------------+ 2 rows in set (0.00 sec)
(4)此時,再次用cqh登錄,測試一下是否能對test數據庫做操作。
[root@iZ28dr6w0qvZ ~]# mysql -ucqh Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 395 Server version: 5.5.37-log MySQL Community Server (GPL) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use test; Database changed mysql> show tables; +----------------+ | Tables_in_test | +----------------+ | menu | | salary | | t | | t1 | | t12 | | t2 | +----------------+ 6 rows in set (0.00 sec) mysql> insert into t1 values (1); Query OK, 1 row affected (0.01 sec)
這個是MySQL權限機制造成的隱患,在一個數據庫上多次賦予權限,權限會自動合並;但是在多個數據庫上多次賦予權限,每個數據庫上都會認為是單獨的一組權限,必須在此數據庫上用REVOKE命令來單進行權限收回,而 REVOKE ALL PRIVILEGES ON *.* 並不會替用戶自動完成這個情況。
到這里,就把衣缽都傳給你們了,別忘了點個贊哦!~