- 论坛徽章:
- 0
|
不要把file process super权限赋予与管理员以外的其他用户
[root@test81 mysql]# bin/mysql -uroot -pabcd
mysql> use mysql
mysql> create table t1 (name varchar(500));
mysql> load data infile '/etc/passwd' into table t1;
+----------------------------------------------------------------------------+
| name |
+----------------------------------------------------------------------------+
| root:0:0:root:/root:/bin/bash |
| bin:1:1:bin:/bin:/sbin/nologin |
| daemon:2:2:daemon:/sbin:/sbin/nologin |
| adm:3:4:adm:/var/adm:/sbin/nologin |
| lp:4:7:lp:/var/spool/lpd:/sbin/nologin |
| sync:5:0:sync:/sbin:/bin/sync |
| shutdown:6:0:shutdown:/sbin:/sbin/shutdown |
| halt:7:0:halt:/sbin:/sbin/halt |
| mail:8:12:mail:/var/spool/mail:/sbin/nologin |
| news:9:13:news:/etc/news: |
| uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin |
| operator:x:11:0perator:/root:/sbin/nologin |
| games:x:12:100:games:/usr/games:/sbin/nologin |
| gopher:x:13:30:gopher:/var/gopher:/sbin/nologin |
| ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin |
| nobody:x:99:99:Nobody:/:/sbin/nologin |
| nscd:x:28:28:NSCD Daemon:/:/sbin/nologin |
| vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin |
| rpc:x:32:32ortmapper RPC user:/:/sbin/nologin |
| exim:x:93:93::/var/spool/exim:/sbin/nologin |
| pcap:x:77:77::/var/arpwatch:/sbin/nologin |
| ntp:x:38:38::/etc/ntp:/sbin/nologin |
| dbus:x:81:81:System message bus:/:/sbin/nologin |
| avahi:x:70:70:Avahi daemon:/:/sbin/nologin |
| sshd:x:74:74rivilege-separated SSH:/var/empty/sshd:/sbin/nologin |
| rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin |
| nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin |
| haldaemon:x:68:68:HAL daemon:/:/sbin/nologin |
| avahi-autoipd:x:100:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin |
| xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin |
| sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin |
| mysql:x:500:500::/home/mysql:/bin/bash |
| sky:x:501:501::/home/sky:/bin/bash |
+----------------------------------------------------------------------------+
如果赋予Z3的file权限
mysql> grant file on *.* to z3@localhost
那么z3登陆后,在其的有权限的库里
mysql> create table t2 (name varchar(100));
mysql> load data infile '/etc/passwd' into table t2;
可以同样取得相应的效果。
关于锁表,这一块(process),实验未成功,留下一次再弄。
super权限
mysql> grant super on *.* to z4@localhost;
Query OK, 0 rows affected (0.00 sec)
用z4登陆后,mysql> show processlist;
+----+------+-----------+-------+---------+------+-------+------------------+
| Id | User | Host | db | Command | Time | State | Info |
+----+------+-----------+-------+---------+------+-------+------------------+
| 4 | z1 | localhost | NULL | Sleep | 468 | | NULL |
| 8 | root | localhost | mysql | Sleep | 19 | | NULL |
| 15 | z4 | localhost | NULL | Query | 0 | NULL | show processlist |
+----+------+-----------+-------+---------+------+-------+------------------+
3 rows in set (0.00 sec)
mysql> kill 4;
Query OK, 0 rows affected (0.00 sec)
load data local的安全问题
使用该选项后,可以对本地服务器任何文件有读权限。
解决办法可以用--local-infile=0启动从服务器禁用所有load data local命令
merge存储存在的安全隐患
mysql> grant all privileges on test1.* to z6@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> show tables;
+-----------------+
| Tables_in_test1 |
+-----------------+
| b2 |
| t1 |
+-----------------+
mysql> revoke all privileges on test1.t1 from z6@localhost;
ERROR 1147 (42000): There is no such grant defined for user 'z6' on host 'localhost' on table 't1'
却收不回权限。执行test1.*是可以的。
mysql> revoke all privileges on test1.* from z6@localhost;
Query OK, 0 rows affected (0.00 sec)
如果先赋予test1.t1再收回是可以操作的。
mysql> grant all privileges on test1.t1 to z6@localhost;
mysql> revoke all privileges on test1.t1 from z6@localhost;
Query OK, 0 rows affected (0.00 sec)
---所谓的安全隐患,是这样的,就是说无法读取t1,但t1的内容还是保存在t12中。
用z6登陆,执行
mysql> select * from t1
-> ;
+------+
| id |
+------+
| 1 |
| 2 |
| 3 |
mysql> create table t2 (id int);
Query OK, 0 rows affected (0.00 sec)
mysql> insert into t2 values(11),(12);
Query OK, 2 rows affected (0.00 sec)
Records: 2 Duplicates: 0 Warnings: 0
mysql> create table t12 (id int) engine=merge union=(t1,t2);
Query OK, 0 rows affected (0.00 sec)
mysql> select * from t12;
+------+
| id |
+------+
| 1 |
| 2 |
| 3 |
| 11 |
| 12 |
+------+
5 rows in set (0.01 sec)
用DROP命令收回以前的以前的相关权限
mysql> grant select on test1.* to z5@localhost;
mysql> show grants for z5@localhost;
+-----------------------------------------------+
| Grants for z5@localhost |
+-----------------------------------------------+
| GRANT USAGE ON *.* TO 'z5'@'localhost' |
| GRANT SELECT ON `test1`.* TO 'z5'@'localhost' |
+-----------------------------------------------+
用root删除t1表后,;z5对t1的权限并没有发生变化,如果用root创建t1后,z5依旧还有这样的权限。所以drop只是删除表,并没有把以前的权限收回,只能手工收回。
使用SSL
如果可能,给所有用户加上IP访问
REVOKE的漏洞
mysql> grant select,insert on test1.* to z7@localhost;
mysql> grant all privileges on test1.* to z7@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for z7@localhost;
+-------------------------------------------------------+
| Grants for z7@localhost |
+-------------------------------------------------------+
| GRANT USAGE ON *.* TO 'z7'@'localhost' |
| GRANT ALL PRIVILEGES ON `test1`.* TO 'z7'@'localhost'
| GRANT SELECT,INSERT ON `test1`.* TO 'z7'@'localhost'
+-------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> revoke all privileges on test1.* from z7@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for z7@localhost;
+----------------------------------------+
| Grants for z7@localhost |
+----------------------------------------+
| GRANT USAGE ON *.* TO 'z7'@'localhost'
| GRANT SELECT,INSERT ON `test1`.* TO 'z7'@'localhost'
+----------------------------------------+
1 row in set (0.00 sec)
收回revoke权限以后,select,insert并没有被收回。
其他的一些安全选项
old-password
mysql> set password for 'some_user'@'some_host' = OLD_PASSWORD('password');
法二: /etc/my.cnf下增加old_password
safe-user-create
数据库启动时增加该选项时,无法用 grant 增加新用户,除非具有mysql库中user表的insert权限
./mysqld_safe --safe-user-create &
secure-auth
--skip-grant-tables不使用权限认证
[root@test81 mysql]#mysqld_safe --skip-grant-tables &
mysql> flush privileges; 重新使用权限系统
--skip-network
--skip-show-database ,只允许有show database权限的用户执行,该 语句显示所有数据库名 |
|