mysql 数据库管理中的安全问题（一）

   从网上看到一些帖子，面试者被问到如何认识mysql数据库的安全问题。很多安全问题都是由于对账号管理不妥当造成的。

  1 删除匿名账号

           在mysql版本中，安装完mysql后，默认会有一个匿名账号，只有执行mysql命令就能登录上去。如下：

直接执行mysql 登录上数据库，进入test数据库下

 [xkyx80@localhost ~]$ mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 488
Server version: 5.5.20-log Source distribution

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| test               |
+--------------------+
2 rows in set (0.00 sec)

mysql> ues test;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ues test' at line 1
mysql> use test;
Database changed
mysql> show tables;
+-------------------+
| Tables_in_test    |
+-------------------+
| gonghui2          |
| item              |
| site              |
| tbl_ad_monitor_ip |
| test              |
| test2             |
| test_             |
| test_level        |
| tx                |
+-------------------+
9 rows in set (0.00 sec)

那么它具有的权限呢 ？   现在查看一下mysql下user用户表

mysql> select user();
+----------------+
| user()         |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)

mysql> select * from mysql.user \G;

                  Host: localhost.localdomain
                  User:
              Password:
           Select_priv: N
           Insert_priv: N
           Update_priv: N
           Delete_priv: N
           Create_priv: N
             Drop_priv: N
           Reload_priv: N
         Shutdown_priv: N
          Process_priv: N
             File_priv: N
            Grant_priv: N
       References_priv: N
            Index_priv: N
            Alter_priv: N
          Show_db_priv: N
            Super_priv: N
 Create_tmp_table_priv: N
      Lock_tables_priv: N
          Execute_priv: N
       Repl_slave_priv: N
      Repl_client_priv: N
      Create_view_priv: N
        Show_view_priv: N
   Create_routine_priv: N
    Alter_routine_priv: N
      Create_user_priv: N
            Event_priv: N
          Trigger_priv: N
Create_tablespace_priv: N
              ssl_type:
            ssl_cipher:
           x509_issuer:
          x509_subject:
         max_questions: 0
           max_updates: 0
       max_connections: 0
  max_user_connections: 0
                plugin:
 authentication_string: NULL

这样普通用户即可登录mysql ，建大表等操作，建议删掉此账号，或者给此账号加密码。

2 给root账号设置口令

  mysql 安装完毕，要给root 账号设定口令

 [xkyx80@localhost ~]$ mysql -uroot
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 490
Server version: 5.5.20-log Source distribution

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> set password=password('密码');

3 设置安全的密码

      1 密码设置的尽量复杂，带有字母、数字、特殊字符等

      2 使用上保证安全，不被窃取，在登陆mysql时，使用交互式登陆方式，手动输入密码比较安全。

4  只赋予账号必须的权限，只需要增删改查，那就只赋予 select、update、insert、delete权限 ，权限赋予具体化，对用户赋予 all privilege权限是危险的。

     from ： 读书笔记 深入浅出mysql