After many friends installed the MySQL database, they did not do any special processing for the mysql user table. Therefore, by default, there are users with empty passwords, and there are also many user names and passwords that are empty. The situation is called double-empty user. Logins under this situation are collectively referred to as abnormal logins. For production environment databases, this will bring some uncertain security risks. Below is a description of the problem and how to remove irrelevant users.
Related references for mysql users:
MySQL User and Permission Management
MySQL Modify user password and reset root password
1. Demonstrate abnormal login
a、演示双空用户登陆 [root@xlkoracel ~]# mysql -uroot -p Enter password: (root@localhost) [(none)]> show variables like 'version'; +---------------+--------+ | Variable_name | Value | +---------------+--------+ | version | 5.6.26 | +---------------+--------+ (root@localhost) [(none)]> select user,host,password from mysql.user; +-------+-------------+-------------------------------------------+ | user | host | password | +-------+-------------+-------------------------------------------+ | root | localhost | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA | | root | xlkoracel | | | root | 127.0.0.1 | | | root | ::1 | | | | localhost | | | | xlkoracel | | | mycat | localhost | *975B2CD4FF9AE554FE8AD33168FBFC326D2021DD | | mycat | 192.168.1.% | *975B2CD4FF9AE554FE8AD33168FBFC326D2021DD | | mycat | 192.168.%.% | *975B2CD4FF9AE554FE8AD33168FBFC326D2021DD | | root | 192.168.%.% | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA | +-------+-------------+-------------------------------------------+ (root@localhost) [(none)]> -- 可以看到存在用户名和密码同时为空的情形 (root@localhost) [(none)]> -- 退出后尝试使用任意用户名登录 (root@localhost) [(none)]> exit Bye [root@xlkoracel ~]# mysql -uxx ###无需指定密码参数-p (xx@localhost) [(none)]> -- 可以成功登陆 (xx@localhost) [(none)]> -- 下面查看一下自身的权限 (xx@localhost) [(none)]> show grants; --当前只有usage权限 +--------------------------------------+ | Grants for @localhost | +--------------------------------------+ | GRANT USAGE ON *.* TO ''@'localhost' | +--------------------------------------+ (xx@localhost) [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | test | +--------------------+ (xx@localhost) [(none)]> use test; Database changed (xx@localhost) [test]> show tables; Empty set (0.00 sec) (xx@localhost) [test]> create table t(id int); Query OK, 0 rows affected (0.14 sec) (xx@localhost) [test]> insert into t values(1); Query OK, 1 row affected (0.01 sec) (xx@localhost) [test]> select * from t; +------+ | id | +------+ | 1 | +------+ 1 row in set (0.00 sec) (xx@localhost) [test]> --从上可以看出,usage权限已经可以完成很多任务 (xx@localhost) [test]> use infromation_schema; ERROR 1044 (42000): Access denied for user ''@'localhost' to database 'infromation_schema' (xx@localhost) [test]> exit; b、演示密码为空的用户登陆 [root@xlkoracel ~]# mysql -uroot -hxlkoracel ###注,此时也无需指定参数-p (root@xlkoracel) [(none)]> --可以成功登陆 (root@xlkoracel) [(none)]> show grants; --查看自身权限,为ALL PRIVILEGES,权限更大 +---------------------------------------------------------------------+ | Grants for root@xlkoracel | +---------------------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO 'root'@'xlkoracel' WITH GRANT OPTION | | GRANT PROXY ON ''@'' TO 'root'@'xlkoracel' WITH GRANT OPTION | +---------------------------------------------------------------------+
2. Clean up abnormal users
[root@xlkoracel ~]# mysql -uroot -p Enter password: (root@localhost) [(none)]> select user,host,password from mysql.user -> where (user is null or user='') and (password is null or password=''); +------+-----------+----------+ | user | host | password | +------+-----------+----------+ | | localhost | | | | xlkoracel | | +------+-----------+----------+ 2 rows in set (0.01 sec) (root@xlkoracel) [(none)]> -- Author : Leshami (root@xlkoracel) [(none)]> -- Blog : //m.sbmmt.com/ (root@localhost) [(none)]> -- 使用drop 方式清理用户 (root@localhost) [(none)]> drop user ''@'localhost'; Query OK, 0 rows affected (0.24 sec) (root@localhost) [(none)]> select user,host,password from mysql.user -> where (user is null or user='') and (password is null or password=''); +------+-----------+----------+ | user | host | password | +------+-----------+----------+ | | xlkoracel | | +------+-----------+----------+ 1 row in set (0.00 sec) (root@localhost) [(none)]> -- 直接用delete从mysql.user表清理用户 (root@localhost) [(none)]> delete from mysql.user -> where (user is null or user='') and (password is null or password=''); Query OK, 1 row affected (0.06 sec) (root@localhost) [(none)]> -- 直接用delete从mysql.user表清理所有密码为空的用户 (root@xlkoracel) [(none)]> delete from mysql.user where password is null or password=''; Query OK, 3 rows affected (0.00 sec)
3. Summary
a. For the mysql server deployed to the production environment, it is recommended to clean up all users with empty passwords and double-blank users.
b. It is recommended to back up before cleaning. It is safer to use the drop user method to clean up users
The above is the content of strengthening MySQL user security. For more related content, please pay attention to the PHP Chinese website (m.sbmmt.com)!