Shulou(Shulou.com)06/01 Report--

We know that after installing MySQL, it will automatically create a root user and an anonymous user whose initial password is empty. For the former, many Resources will remind you to set a password in time, while ignoring the latter, probably because the latter is set to be used locally by default.

But if your MySQL is to be provided to the Web server for database service, it can be costly to ignore this anonymous user, because by default, this anonymous user has almost the same permissions on localhost as root. If your customer has permission to upload script files that can perform MySQL database operations (such as php that allows you to operate MySQL), your MySQL may have been changed beyond recognition:

Today, when I was helping my friend organize his home page space, I tried to write a very simple php file that executed sql statements to upload. I tried to empty the user,password in the connection word, host=localhost, and found that my sql statement could be executed. So I executed select * from MySQL.user to check the user permissions. I found that this user has very high permissions in localhost, even grant_priv. (when viewing You will find that under the root user, there are two lines of username and password empty, but each permission has y, that is, the anonymous user has local and remote permissions set)

So I tried to create a new user with this php page, and grant gave him higher permissions, and the result was a success, so that I could use this new user to connect to the MySQL server of the site through my local MySQL client, and use the administrative rights of this newly created user to manage the MySQL server of the site, and see that I can easily get in-depth database operations like this. How dare I put the sensitive information of my friend's home page into this MySQL server?

Suggestions for improvement:

1. After installing MySQL, not only change the password of root users, but also change the password of anonymous users, similar to the way of changing the password of root:

MySQL > UPDATE user set password=PASSWORD ('yournewpassword') where user=

MySQL > FLUSH PRIVILEGES

2. Delete the anonymous user if not necessary, so that everyone must provide a user name to use MySQL. Even if something goes wrong in the future, it is easy to find the source of the problem.

3. In addition to root users, other users, including anonymous users (if this user is not deleted) should not have grant permissions to prevent administrative rights from spreading out of control.

4, when giving users updatedeletealertcreatedrop permission, it should be limited to a specific database, especially to avoid ordinary customers have the right to operate on the MySQL database, otherwise your system settings are likely to be replaced.

5. Check the MySQL.user table and cancel the shutdown_priv,reload_priv,process_priv and File_priv permissions of unnecessary users, which may reveal more server information, including other non-MySQL information.

6. If you don't plan to let your users use the MySQL database, reset or compile your php when providing scripting languages such as php, and cancel their default support for MySQL. [@ more@]

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.