





  • 锁定mysql用户
  • 其他任何用户都采取独立的账号登录,管理员通过mysql专有用户管理MySQL,或者通过root su到mysql用户下进行管理。
  • mysql用户目录下,除了数据文件目录,其他文件和目录属主都改为root




    创建用户时,host可以指定域名或者IP地址。但是,如果指定域名,就可能带来如下安全隐患:  如果域名对应的IP地址被恶意修改,则数据库就会被恶意的IP地址进行访问,导致安全隐患。






set password=password('newpassword');


  • 设置安全的密码,建议使用6位以上字母、数字、下划线和一些特殊字符组合的而成的字符串;
  • 使用上的安全,使用密码期间尽量保证使用过程安全,不会被别人窃取。
mysql -uroot -p123
mysql -uroot -p
chomod +600 my.cnf
[root@iZ28dr6w0qvZ ~]# mysql
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
[root@iZ28dr6w0qvZ ~]# vim /etc/my.cnf 
#password       = your_password
[root@iZ28dr6w0qvZ ~]# service mysqld restart
Shutting down MySQL... SUCCESS! 
Starting MySQL.. SUCCESS! 
[root@iZ28dr6w0qvZ ~]# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select current_user();
| current_user() |
| cqh@localhost  |
1 row in set (0.02 sec)


grant select,insert,update,delete on tablename to 'username'@'hostname';
    在很多情况下,DBA由于图方便,而经常赋予用户all privileges权限,这个all privileges到底具体包含哪些权限呢?来看下面的例子:
mysql> select * from db where user='cqh'\G
*************************** 1. row ***************************
                 Host: localhost
                   Db: test
                 User: cqh
          Select_priv: Y
          Insert_priv: Y
          Update_priv: Y
          Delete_priv: Y
          Create_priv: Y
            Drop_priv: Y
           Grant_priv: N
      References_priv: Y
           Index_priv: Y
           Alter_priv: Y
Create_tmp_table_priv: Y
     Lock_tables_priv: Y
     Create_view_priv: Y
       Show_view_priv: Y
  Create_routine_priv: Y
   Alter_routine_priv: Y
         Execute_priv: Y
           Event_priv: Y
         Trigger_priv: Y
1 row in set (0.00 sec)
    all privileges里面的权限,远远超过了我们一般应用所需要的权限。而且,有些权限如果误操作,将会产生非常严重的后果,比如drop_priv等。因此,用户权限的时候越具体,则对数据库越安全。


[root@iZ28dr6w0qvZ ~]# mysql -uroot -p
Enter password:
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 103
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> grant select,update,insert,delete on mysql.user to chenqionghe@localhost;
Query OK, 0 rows affected (0.00 sec)
[root@iZ28dr6w0qvZ ~]# mysql -uchenqionghe
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 106
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use mysql;
Database changed
mysql> update user set password=password('abcd') where user='root' and host='localhost';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0
[root@iZ28dr6w0qvZ ~]# mysql -uroot -pabcd
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.


将数据库的信息通过SELECT ...INTO OUTFILE...写到服务器上有写权限的目录下,作为文本格式存放。具有权限的目录也就是启动MySQL时的用户权限目录。
可以将有读权限的文本文件通过LOAD DATA INFILE...命令写入数据表,如果这些表中存放了很重要的信息,将对系统造成很大的安全隐患。
[root@iZ28dr6w0qvZ ~]# mysql -uroot -p
Enter password:
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use test;
Database changed
mysql> create table t (name varchar(500));
Query OK, 0 rows affected (0.02 sec)
mysql> load data infile '/etc/passwd' into table t;
Query OK, 23 rows affected (0.01 sec)
Records: 23  Deleted: 0  Skipped: 0  Warnings: 0
mysql> select * from t;
| name                                                                 |
| root:x:0:0:root:/root:/bin/bash                                      |
| bin:x:1:1:bin:/bin:/sbin/nologin                                     |
| daemon:x:2:2:daemon:/sbin:/sbin/nologin                              |
| adm:x:3:4:adm:/var/adm:/sbin/nologin                                 |
| lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin                             |
| sync:x:5:0:sync:/sbin:/bin/sync                                      |
| shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown                         |
| halt:x:7:0:halt:/sbin:/sbin/halt                                     |
| mail:x:8:12:mail:/var/spool/mail:/sbin/nologin                       |
| uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin                      |
| operator:x:11:0:operator:/root:/sbin/nologin                         |
| games:x:12:100:games:/usr/games:/sbin/nologin                        |
| gopher:x:13:30:gopher:/var/gopher:/sbin/nologin                      |
| ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin                          |
| nobody:x:99:99:Nobody:/:/sbin/nologin                                |
| vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin         |
| ntp:x:38:38::/etc/ntp:/sbin/nologin                                  |
| saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin |
| postfix:x:89:89::/var/spool/postfix:/sbin/nologin                    |
| sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin   |
| nscd:x:28:28:NSCD Daemon:/:/sbin/nologin                             |
| www:x:500:500::/alidata/www:/sbin/nologin                            |
| mysql:x:501:501::/home/mysql:/sbin/nologin   
    PROCESS权限能被用来执行“show processlist”命令,查看当前所有用户执行的查询的明文文本,包括设定或改变密码的查询。在默认情况下,每个用户都可以执行“show processlist”命令,但是只能查询本用户的进程。因此,对PROCESS权限管理不当,有可能会使得普通用户能够看到管理员执行的命令。
[root@iZ28dr6w0qvZ ~]# mysql -uroot -p
Enter password:
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 26
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show processlist;
| Id | User | Host      | db   | Command | Time | State | Info             |
|  2 | root | localhost | NULL | Sleep   |   53 |       | NULL             |
| 26 | root | localhost | NULL | Query   |    0 | NULL  | show processlist |
2 rows in set (0.00 sec)
mysql> grant process on *.* to 'cqh'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> lock table user read;
Query OK, 0 rows affected (0.00 sec)
[root@iZ28dr6w0qvZ ~]# mysql -uroot -p
Enter password:
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 27
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> set password=password('123');
    (4)打开第3个session,用cqh登录,执行show processlist语句:
[root@iZ28dr6w0qvZ ~]# mysql -ucqh
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 31
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show processlist;
| Id | User | Host      | db    | Command | Time | State                        | Info                         |
| 26 | root | localhost | mysql | Sleep   |   20 |                              | NULL                         |
| 27 | root | localhost | NULL  | Query   |   15 | Waiting for table level lock | set password=password('123') |
| 31 | cqh  | localhost | NULL  | Query   |    0 | NULL                         | show processlist             |
3 rows in set (0.00 sec)
mysql> show processlist;
| Id | User | Host      | db    | Command | Time | State                        | Info                         |
| 26 | root | localhost | mysql | Sleep   |   20 |                              | NULL                         |
| 27 | root | localhost | NULL  | Query   |   15 | Waiting for table level lock | set password=password('123') |
| 31 | cqh  | localhost | NULL  | Query   |    0 | NULL                         | show processlist             |
3 rows in set (0.00 sec)
mysql> kill 27;
ERROR 1095 (HY000): You are not owner of thread 27
mysql> grant super on *.* to cqh@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for cqh@localhost;
| Grants for cqh@localhost                         |
| GRANT PROCESS, SUPER ON *.* TO 'cqh'@'localhost' |
1 row in set (0.00 sec)
    (3)重新kill root的进程成功:
[root@iZ28dr6w0qvZ ~]# mysql -ucqh
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 40
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show processlist;
| Id | User | Host      | db    | Command | Time | State                        | Info                         |
| 26 | root | localhost | mysql | Sleep   |   20 |                              | NULL                         |
| 27 | root | localhost | NULL  | Query   |   15 | Waiting for table level lock | set password=password('123') |
| 31 | cqh  | localhost | NULL  | Query   |    0 | NULL                         | show processlist             |
3 rows in set (0.00 sec)
mysql> kill 27;
Query OK, 0 rows affected (0.00 sec)

    7.LOAD DATA LOCAL带来的安全问题

    LOAD DATA默认读的是服务器上的文件,但是加上LOCAL参数后,就可以将本地具有访问权限的文件加载到数据库中。这在在带来方便的同时,可带来了以下安全问题。
在Web环境中,客户从Web服务器连接,用户可以使用LOAD DATA LOCAL语句来读取Web服务器进程在读访问权限的任何文件(假定用户可以运行SQL服务器的任何命令)。在这种环境中,MySQL服务器的客户实际上的是Web服务器,而不是连接Web服务器的用户运行的程序。
    解决的方法是,可以用--local-infile=0选项启动mysqld从服务器禁用所有LOAD DATA LOCAL命令。
    对于mysql命令行客户端,可以通过指定--local-infile[=1]选项启用LOAD DATA LOCAL,或通过--local-infile=0选项禁用。类似地,对于mysqlimport,--local or -L选项启用本地文件装载。在任何情况下,成功进行本地装载需要服务器启用相关选项。

    8.DROP TABLE命令并不收回以前的相关访问权限

mysql> grant select on test.* to cqh@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for cqh@localhost;
| Grants for cqh@localhost                      |
| GRANT USAGE ON *.* TO 'cqh'@'localhost'       |
| GRANT SELECT ON `test`.* TO 'cqh'@'localhost' |
2 rows in set (0.00 sec)
[root@iZ28dr6w0qvZ ~]# mysql -ucqh
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 287
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use test;
Database changed
mysql> show tables;
| Tables_in_test |
| menu           |
| salary         |
| t              |
| t1             |
| t12            |
| t2             |
6 rows in set (0.00 sec)
[root@iZ28dr6w0qvZ ~]# mysql -uroot -p
Enter password:
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 288
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use test;
Database changed
mysql> drop table t12;
Query OK, 0 rows affected (0.00 sec)
[root@iZ28dr6w0qvZ ~]# mysql -ucqh
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 290
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use test;
Database changed
mysql> show tables;
| Tables_in_test |
| menu           |
| salary         |
| t              |
| t1             |
| t2             |
5 rows in set (0.00 sec)
mysql> show grants for cqh@localhost;
| Grants for cqh@localhost                      |
| GRANT USAGE ON *.* TO 'cqh'@'localhost'       |
| GRANT SELECT ON `test`.* TO 'cqh'@'localhost' |
2 rows in set (0.00 sec)
[root@iZ28dr6w0qvZ ~]# mysql -uroot -p
Enter password:
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 292
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use test;
Database changed
mysql> create table t12(id int);
Query OK, 0 rows affected (0.03 sec)
[root@iZ28dr6w0qvZ ~]# mysql -ucqh
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 293
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use test;
Database changed
mysql> show tables;
| Tables_in_test |
| menu           |
| salary         |
| t              |
| t1             |
| t12            |
| t2             |
6 rows in set (0.00 sec)


    SSL(Secure Socket Layer,安全套接字层)是一种安全传输的协议,最初Netscape公司所开发,用以保障在Internet上数据传输之安全,利用 数据加密(Encryption)技术,可确保数据在网络上传输过程中不会被截取及窃听。
    确保使用SSL连接的安全方式是,使用含REQUIRE SSL子句的GRANT语句在服务器上创建一账户,然后使用该账户来连接服务器,服务器和客户端均应启用SSL支持。下面例子创建了一个含REQUIRE SSL子句的账号:
mysql> grant select on *.* to cqh identified by '123' REQUIRE ssl;
Query OK, 0 rows affected (0.00 sec)
  • --ssl-ca=file_name    含可信的SSL CA的清单的文件的路径
  • --ssl-cert=file_name    SSL证书文件名,用于建立安全连接
  • --ssl-key=file_name    SSL密钥文件名,用于建立 安全连接




mysql> grant select,insert on test.* to cqh@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> grant all privileges on *.* to cqh@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for cqh@localhost;
| Grants for cqh@localhost                              |
| GRANT ALL PRIVILEGES ON *.* TO 'cqh'@'localhost'      |
| GRANT SELECT, INSERT ON `test`.* TO 'cqh'@'localhost' |
2 rows in set (0.00 sec)
mysql> revoke all privileges on *.* from cqh@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for cqh@localhost;
| Grants for cqh@localhost                              |
| GRANT USAGE ON *.* TO 'cqh'@'localhost'               |
| GRANT SELECT, INSERT ON `test`.* TO 'cqh'@'localhost' |
2 rows in set (0.00 sec)
[root@iZ28dr6w0qvZ ~]# mysql -ucqh
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 395
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use test;
Database changed
mysql> show tables;
| Tables_in_test |
| menu           |
| salary         |
| t              |
| t1             |
| t12            |
| t2             |
6 rows in set (0.00 sec)
mysql> insert into t1 values (1);
Query OK, 1 row affected (0.01 sec)
    这个是MySQL权限机制造成的隐患,在一个数据库上多次赋予权限,权限会自动合并;但是在多个数据库上多次赋予权限,每个数据库上都会认为是单独的一组权限,必须在此数据库上用REVOKE命令来单进行权限收回,而 REVOKE ALL PRIVILEGES ON *.* 并不会替用户自动完成这个情况。






