[toc] 問題 MySQL5.6 新建本地可以登錄的用戶,但在本地始終登錄不上,不存在的用戶卻能登錄成功 分析 1、本是以ip地址進行登錄的,錯誤信息報的是Access denied for user 'admin'@'slave58',自動進行了DNS解析,解析成了主機名,skip name r ...
目錄
MySQL 5.6不刪空用戶的影響
問題
MySQL5.6 新建本地可以登錄的用戶,但在本地始終登錄不上,不存在的用戶卻能登錄成功
mysql -uroot -p1234 -S /data/mysql/33562/mysql.sock -e "select version()"
mysql: [Warning] Using a password on the command line interface can be insecure.
+-----------+
| version() |
+-----------+
| 5.6.39 |
+-----------+創建了admin@'%' 用戶,但在本地無法登陸,但可以遠程登陸
sselect user,host,password from mysql.user;
+--------+-----------+-------------------------------------------+
| user | host | password |
+--------+-----------+-------------------------------------------+
| root | localhost | *A4B6157319038724E3560894F7F932C8886EBFCF |
| root | slave58 | |
| root | 127.0.0.1 | |
| root | ::1 | |
| | localhost | |
| | slave58 | |
| admin | % | *4ACFE3202A5FF5CF467898FC58AAB1D615029441 |
| zabbix | 127.0.0.1 | *DEEF4D7D88CD046ECA02A80393B7780A63E7E789 |
| super | 127.0.0.1 | *F85A86E6F55A370C1A115F696A9AD71A7869DB81 |
| super | slave58 | *F85A86E6F55A370C1A115F696A9AD71A7869DB81 |
+--------+-----------+-------------------------------------------+
show grants for 'admin'@'%';
+---------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'admin'@'%' IDENTIFIED BY PASSWORD '*4ACFE3202A5FF5CF467898FC58AAB1D615029441' |
+---------------------------------------------------------------------------------------------------------------+
select password('admin');
+-------------------------------------------+
| password('admin') |
+-------------------------------------------+
| *4ACFE3202A5FF5CF467898FC58AAB1D615029441 |
+-------------------------------------------+
以ip地址無法登陸
mysql -uadmin -padmin -P33562 -h10.186.30.58
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'admin'@'slave58' (using password: YES)
以socket也無法登陸
mysql -uadmin -padmin -P33562 -S /data/mysql/33562/mysql.sock
或者
mysql -uadmin -padmin -P33562 -h127.0.0.1
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'admin'@'localhost' (using password: YES)
不存在的用戶卻可以登錄成功
mysql -utest -S /data/mysql/33562/mysql.sock
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 15
Server version: 5.6.39 MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
分析
1、本是以ip地址進行登錄的,錯誤信息報的是Access denied for user 'admin'@'slave58',自動進行了DNS解析,解析成了主機名,skip-name-resolve 可以禁用DNS解析
2、mysql在驗證許可權的時候,先驗證host,在驗證user,最後驗證password,即
host->user->password
3、以host或者socket登陸,進行了DNS解析,host;socket被解析成了slave58;localhost, 而mysql.user 中host 為localhost和slave58 對應空用戶,就報了訪問拒絕錯誤
測試
啟動mysqld時沒有加上--skip-name-resolve
以mysql不存在的用戶進行登錄
mysql -utest -P33562 -h`hostname`
或者
mysql -utest -S /data/mysql/33562/mysql.sock
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.6.39 MySQL Community Server (GPL)
.....
show grants;
+------------------------------------+
| Grants for @slave58 |
+------------------------------------+
| GRANT USAGE ON *.* TO ''@'slave58' |
+------------------------------------+show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| test |
+--------------------+
create table test.test_t1(id int);
Query OK, 0 rows affected (0.05 sec)
drop table test.test_t1;
Query OK, 0 rows affected (0.05 sec)
drop database test;
Query OK, 8 rows affected (0.49 sec)
具有USAGE 的許可權的用戶 有test 庫的所有許可權和information_schema 中表的select許可權。
不存在的用戶還可以 drop datase test 這個“神操作”是因為 空用戶具有test和test_*庫的所有許可權,而任何用戶都能匹配空用戶,mysql5.6初始化後預設就有這個,而mysql5.7預設沒有,也沒有空用戶,空密碼用戶
select * from mysql.db;
以mysql.user中存在的用戶登錄如 “問題” 中所示,無法登錄
在mysql.user 中存在的用戶還不能登錄,任意一個不存在的用戶還可以登錄成功 ,還可以drop database test,這有很大的安全隱患!開始懷疑,這mysql5.6是不是假的o_o
啟動mysqld時加上--skip-name-resolve
ps -ef | grep -w 33562 | grep -v grep | awk '{print $2}' | xargs -l killsu - mysql -c "/usr/local/mysql/5.6.39/bin/mysqld --no-defaults --basedir=/usr/local/mysql/5.6.39 --datadir=/data/mysql/33562 --pid-file=/data/mysql/33562/clone.pid --port=33562 --server-id=33562 --socket=/data/mysql/33562/mysql.sock --tmpdir=/data/mysql/33562 --skip-name-resolve &"以mysql.user中不存在的用戶進行登錄
mysql -utest -P33562 -h`hostname`
ERROR 1045 (28000): Access denied for user 'test'@'10.186.30.58' (using password: NO)
mysql -utest -S /data/mysql/33562/mysql.sock
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 5.6.39 MySQL Community Server (GPL)
以`hostname`登錄,host 轉化成ip地址,在mysql.user中沒有匹配到;
以socket登錄 host 被轉化成localhost,在mysql.user中匹配到了''@'localost'空用戶,登錄成功。可見,任意用戶都能匹配mysql.user的user為空' '的用戶以mysql.user中存在的用戶可以登錄成功
mysql -uadmin -padmin -P33562 -h10.186.30.58
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.6.39 MySQL Community Server (GPL)結論
1、在沒有以 skip-name-resolve 啟動啟動的情況下,以mysql -uuser -ppassword登錄會進行DNS解析,在mysql.user中匹配到錯誤的 host,即時沒有限制主機的用戶 ‘user’@'%'也無法登錄
2、即時一個並不存在的用戶在以`hostname` 或者socket進行登錄,若匹配了mysql.user中的host,該host對應的user和password為空,並不存在的用戶也能登錄成功
3、為了避免進行DNS解析,在my.cnf配置文件中添加skip-name-resolve
4、在剛初始化mysql5.6後,就應該刪除mysql.user; mysql.db中空用戶,空密碼賬戶(包括root空秘密賬戶),減少安全隱患
DELETE FROM mysql.user WHERE PASSWORD=' ';
DELETE FROM mysql.db WHERE USER=' '; FLUSH PRIVILEGES;
5、可用mysql5.6 自帶mysql_secure_installation 腳本刪除空用戶,空密碼賬戶,刪除test庫
