Shulou(Shulou.com)06/01 Report--

Mysql access system [@ more@] Mysql has an advanced but non-standard access system. This section describes how it works.

What does the permission system do?

The main function of Mysql's authorization system is to verify user connections from hypothetical hosts. And for inspection.

The select,insert,update and delete operation rights of the user to the database.

Its additional features include anonymous user authentication and granting permissions to use special features of Mysql, such as from the

Load data and manage operations in the file.

User name and password of Mysql

There are some differences in the username and password for Mysql between Unix and Windows:

User name, Mysql is used to achieve its authentication purpose. Has nothing to do with the user names of Unix and Windows

(login names). Most Mysql clients default to the current user name of Uinx as the

Mysql user name to log in, but that is only for convenience. Client programs allow the use of-u or--

The user parameter specifies a different name. This means that you can't make the Mysql database secure.

Protect unless every Mysql user name has a password. Anyone can use any name to attempt

Connect to the database, and if they specify a name that happens to have no password, they will succeed.

.

Mysql usernames can be increased to 16 characters long, while typical Unix usernames are limited to eight digits

.

The Mysql password has nothing to do with the Unix password. You don't have to log in to the Unix machine password and you use

To connect with the password to access the database on this machine.

Mysql uses a different encryption algorithm from the Unix login process. See the various functions in section 7.3.11

Description of the PASSWORD () and ENCRYPT () functions.

6.3 connect to the Mysql server

Mysql client programs usually ask you to specify some connection parameters, but when you want to access the Mysql database

Hou: the host you want to connect to, your user name and password. For example, the Mysql client can start like this

Optional parameters are added with "[" and "]"):

Shell > mysql [- h hostname] [- u username] [- p password]

You can also use-- host= hostname,-- user= username, and-- password= password instead of-hpmai u and-p

Options. Notice that there is no space between-p or-- password and the password.

If no connection parameters are specified on the command line, Mysql uses the default values:

The default hostname is localhost.

The default user name is your login name in Unix.

If there is no-p parameter, the password will not be provided.

Therefore, for the Unix user, the following command Joe is equivalent

Shell > mysql-h localhost-u joe

Shell > mysql-h localhost

Shell > mysql-u joe

Shell > mysql

The actions of other clients are similar.

In Unix, you don't have to type in at the command line every time you call a client program to connect

All options, you can specify different default values for them. This can be done in two ways:

You can specify the connection parameter in the [client] section of the ".my.cnf" configuration file in your home directory.

Count. The relevant sections of the file might look like this:

[client] host=host_name

User=user_name

Password=your_pass

See the 4.15.4 options file section

You can also use environment variables to specify connection parameters. Hosts can be designated to use MYSQL_HOST,Mysql

The user name can be specified to use USER,LOGNAME or LOGIN (although these variables may have been set

Become your Unix login, but they may be changed at will. Passwords can be specified to use MYSQL_PWD (

But this is not safe; see the next section)

If you specify connection parameters in many different ways, the value specified on the command line is higher than that in the configuration file

And the values specified in the environment variables have higher priority. And the value specified in the configuration file is different from that in the environment.

The value specified in the quantity has higher priority.

Make your password secure.

It is quite a mistake to specify your password in a way that other users can find.

. The following lists the methods that you can use to specify a password when you use a client program, comparing each method

Pros and cons:

Use a-p password or-- password= password parameter in the command exercise. It's convenient, but it's not safe.

Your password can be seen by the system status detector (such as ps), so it can be called by other users and displayed in the

On the command line. (the MySQL client specifically overrides command-line arguments with 0 when they are initialized, but at this value it appears

There is still a short interval when it can be seen.

Use a-p or-- password parameter (do not specify your password). In this way, the client program will require the password from the end.

End input:

Shell > mysql-u user name-p]

Enter password: *

The client displays the password you enter on the terminal with a * "character so that the bystander cannot see it. Enter so

A password is more secure than specifying a password on the command line because it is not visible to other users. However, this input

The password method works only when you use an interactive program. If you want to call non-interactively from a script

With the client, there is no chance to enter the password from the terminal.

Save your password in a configuration file. For example, you can list your password in your home directory

The [client] section of the .my.cnf file under:

[client]

Password=your_pass

If you store your password in .my.cnf, then the same group of users and other users must not have

Read and write permissions are available. Determine that the file access mode must be 400 or 600. See 4.15.4 excerpt

Pieces.

You can also store your password in the MYSQL_PWD environment variable, but this method is considered extremely insecure and useful

It is often not used. Some versions of PS include an option to list the environment of the running process; your secret

The code will be clearly displayed if you set the MYSQL_PWD environment variable.

All in all, the safest way is to prompt for a password on the client or save the password in a properly protected

In the .my.cnf file.

Permissions provided by MySQL

The permission information is stored in the user, db, host, tables of the mysql database (that is, the database name is mysql)

In the _ priv and columns_ privy table. When the MySQL server is started or when the permissions are changed in section 6.9

Read the items in these tables in the case indicated by the entry into force.

The names of the permissions provided by MySQL mentioned in this manual are listed below, and each column lists the names of the permissions, and the corresponding fuck

The scope of action and application.

Permission column name range

Select select_priv table

Insert Insert_priv table

Update Update_priv table

Delete Delete_priv table

Index Index_priv table

Alter Alter_priv table

Create Create_priv database, table or index

Drop Drop_priv database or table

Grant Grant_priv database or table

Reload Reload_priv server management

Shutdown Shutdown_priv server management

Process Process_priv server management

File access on file File_priv server

Select, insert, update, and delete permissions allow you to persist on rows of tables that exist in a database

Line operation.

SELECT expressions require select permission only if you really want to return rows from the table. You can execute a SELECT

Expressions, even when you do not have access to any database on the server. For example, you can use mysql

The client makes a simple count:

Mysql > SELECT 1

Mysql > SELECT PI () * 2

Index permissions allow you to create or drop (delete) indexes.

Alter permissions allow you to use ALTER TABLE.

Create and drop permissions allow you to create new databases and tables, or drop existing databases and tables.

Note that if you allow a user to have drop access to the mysql database, the user can drop MySQL

A place where access permissions are stored.

Grant permissions allow you to grant other users those permissions you have.

File permissions allow you to use LOAD DATA INFILE and SELECT. INTO OUTFILE statement access server

The document. If any user has this permission, he can access any file that can be accessed by MySQL server.

The rest of the permissions are used for administrative operations and are used when executing mysqladmin programs. The following table lists the life of mysqladmin

Order every administrative authority that you are allowed to perform:

Actions that can be performed by a permission owner

Reload reload, refresh, flush-privileges, flush-hosts, flush-logs, flush-tables

Shutdown shutdown

Process processlist, kill

The reload command tells the server to reread the authentication table. Refresh command refreshes all databases, opening and closing days

Flush-privileges is a synonym for reload. Other flush-* implementations are roughly similar to refresh

The same function, but to a more limited extent, may work better in some situations. For example, if you just want to refresh the day

Flush-logs is a better choice than refresh.

The shutdown command shuts down the server.

The processlist command lists information about the threads executing on the server. The kill command kills the threads of the server

. You can usually only list and kill your own threads, but if you have process permission, you can list or kill them.

The thread started by his user.

It is usually a good idea to grant only the necessary permissions to the relevant users, when you have to learn to be careful to grant the following permissions:

Grant permissions allow users to grant their own permissions to other users. If two users have different rights

Limit, and at the same time have grant permissions, then they have all these permissions together.

The alter owner can destroy the permission system by renaming the table.

The file permission can be slightly abused to read any full file in the database table, and the project can use SELECT

Access is made.

Shudown authority can also be abused. Shut down the server and deny service to all other users.

Process permissions can display the currently executing query in plain text, including a lookup for setting and changing passwords

Inquire.

Permissions on the mysql database can be used to change passwords and other access information. (passwords are encrypted and stored, so

A malicious user cannot simply read them. However, if he has enough authority, he can change it to another.

A different password.)

The following things cannot be achieved through the MySQL permissions system:

You cannot explicitly specify that a user will be denied access. That is, you cannot explicitly specify to match a user, although

Cut off its connection.

You cannot specify that a user can create and delete tables in a database, but not the database itself.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.