Youcan use MySQL commands to create users and grant them privileges for a database or table.. The other tables in the mysqldatabase include the host table, which stores privileges specif
Trang 1MySQL includes a sophisticated security system You
can use MySQL commands to create users and grant them privileges for a database or table.
The Grant Tables
Internally, the MySQL server stores its usernames,
passwords, and privileges in several tables within the
mysqldatabase This database is created when you
install the MySQL server The user table within this
database stores a row for each user and a number of
fields that define the basic privileges granted to the user.
The other tables in the mysqldatabase include the host
table, which stores privileges specific to particular
hostnames, and the db table, which stores privileges
granted to users for a specific database The tables_priv
table stores privileges granted for specific table names,
and the columns_priv table stores privileges granted for
only specific columns of a table.
Default Users
When you install the MySQL server, the root user is
created by default This user is granted all privileges for all
databases and tables, and can create additional users The
root user does not have a password by default, and this is
a major security hole Be sure to change the root password
before allowing users to access the MySQL server.
The installation also creates an anonymous user, which
allows users on the local host to connect without
specifying a username and password This user is
restricted to a database named test or with a name
beginning with test_, so this does not represent a
serious security risk.
The Authentication Process
When you attempt to connect to a MySQL server, the client encrypts your password and sends a request including the username you specified to the server The server checks whether the username is listed in the user table and whether the password matches the encrypted password stored in that table If they match, you are allowed to connect.
After this initial authentication, the MySQL client authenticates each command the client sends to the server, and checks the user, db, and other tables to determine whether the username has the right privileges for the command being issued.
Security Commands
MySQL includes three basic commands for working with security The first,GRANT, grants one or more privileges to a user for a database or table If the user does not already exist, it is created.
The REVOKEcommand removes one or more privileges from a username It can leave a user without privileges, but does not delete users from the user table.
The SHOW GRANTScommand displays the privileges granted to a particular user These are displayed as
GRANTstatements and can be used to recreate or duplicate the user's privileges.
MySQL Users and Privileges
You must specify a username when you use MySQL
client programs, such as mysqlor mysqladmin If you
are the administrator of the MySQL server, you can
create usernames and control the privileges, or
permissions, of each user.
You use the GRANTcommand in MySQL to grant one or
more privileges to a user If the username you specify
does not exist, it is created The REVOKEcommand is
the opposite This command removes one or more
privileges from a user.
A user in MySQL is actually the combination of a username and hostname If a username is set up with a specific host, the user can only connect from that host Users can also be configured to allow multiple hosts or all hosts.
The privileges you can grant to a user include most of the different things that can be done with SQL queries, including SELECT,INSERT, and DELETE The complete list of privileges is included later in this chapter.
Trang 2Note: This example uses the testdb
database and the quotes table, which
you can import from the CD-ROM
⁄From the MySQL monitor,
type USE testdb; and press Enter
■ The database is now
selected
¤Type GRANT ALL ON testdb.* and press Enter
■ You are prompted for the
next line
‹Type TO nancy IDENTIFIED
BY 'thepass'; and press Enter
■ The user is now created
This user has all privileges for the entire database
MySQL uses its own system of usernames and
passwords, unrelated to the underlying operating
system You can use the GRANTcommand from
MySQL to create a username and assign one or more
privileges to the user You can assign privileges for all
databases, a single database, a table, or even a single column.
The basic syntax of the GRANTcommand specifies a
privilege type, a table or database name, a username, and
a password The username can be an existing MySQL user.
If it is a new user, the user is added The following GRANT
command grants all privileges to the user nancy for the
testdb database:
GRANT ALL ON testdb.*
TO nancy IDENTIFIED BY 'thepass';
Usernames on MySQL can be a simple name like the
above, or a combination of a username, the @symbol,
and hostname If you specify a hostname, the user can
only access MySQL from that host If you do not specify
a hostname, the username will work from any host You
can use the wildcard character,%, as the hostname to
explicitly indicate that the user can connect from any host.
You can specify a database name with the *symbol, meaning all tables under that database, a table name under the current database selected with the USEcommand, or the wildcard *.*, meaning all databases on the server You can optionally specify a list of columns in parentheses before the ONkeyword, and the user will have the privileges you specify for only those columns.
The IDENTIFIED BYclause in the GRANTstatement allows you to specify a password for the user The password will be encrypted and stored in the MySQL user table If the user has already been created with a previous GRANTstatement, you do not need to use the IDENTIFIED BYclause again.
In order to grant privileges to a user, you must be logged in
as a user with those privileges and the ability to grant If you specify WITH GRANT OPTIONat the end of the GRANT
command, the user will have the ability to grant any privileges they have to other users.
The REVOKEcommand allows you to revoke one or more privileges from a user To use this command, specify REVOKE, the privilege type or ALL, the ONkeyword, the table or database name, the FROMkeyword, and the username. GRANT PRIVILEGES TO USERS
208
GRANT PRIVILEGES TO USERS
Trang 3›Type GRANT ALL ON
quotes and press Enter
ˇType TO fred IDENTIFIED
BY 'other'; and press Enter
■ This creates another user
This one has access to the quotes table only
ÁType REVOKE DELETE, DROP ON quotes and press Enter
‡Type FROM fred; and
■ This removes the DELETE
and DROP privileges, leaving the user with the remaining privileges
type This keyword assigns all available privileges You can also assign the specific privileges listed in the table below.
ALTER Use ALTER TABLEcommand
CREATE Use CREATE TABLEcommand
DELETE Use DELETEcommand
DROP Use DROP TABLEcommand
FILE Use SELECT INTO OUTFILEand LOAD DATA INFILE INDEX Use CREATE INDEXor DROP INDEX
INSERT Use INSERTcommand
LOCK TABLES Use LOCK TABLEScommand
PROCESS Use SHOW PROCESSLISTand mysqladmin processlist RELOAD Use the FLUSHcommand
SELECT Use SELECTqueries
SHOW DATABASES Show all databases
SHUTDOWN Shut down the server with mysqladmin shutdown SUPER Various administrative privileges including mysqladmin kill UPDATE Use UPDATEqueries
Trang 4Note: This example uses the users
you created in the previous section
You must be connected to MySQL as
the root user or another user that can
grant privileges
⁄From the MySQL monitor,
type SET PASSWORD FOR and
press Enter
¤Type fred = PASSWORD('newpass');
and press Enter
■ This sets the user's
password
‹Type SET PASSWORD = PASSWORD('newpass'); and press Enter
■ This sets the password for
the current user
Note: If you change your password,
be sure not to use the default value given here, and be sure to remember the password you have chosen
After you have created a user and granted privileges
with GRANT, you can change the user's password
using the SET PASSWORDcommand within the
MySQL monitor For example, the following command
changes the password for the user fred:
SET PASSWORD FOR fred = PASSWORD('newpass');
MySQL stores passwords in an encrypted form When you
change a password with the SET PASSWORDcommand,
you must use the PASSWORDfunction to encrypt the new
password MySQL expects the new password to be in
encrypted form.
In order to change a user's password, you must either be
logged in as that user or as a user with the GRANT OPTION
privilege This allows you to change the password for any
user You can also assign passwords by using the
IDENTIFIED BYclause when creating users or adding
privileges using the GRANTcommand, as explained in the
previous section.
You can also change a user's password using the
mysqladmin passwordcommand at the command prompt In this case, you do not need to use the PASSWORD
function For example, the following command changes the password for the current user:
mysqladmin password 'newpass'
If you specify the -uoption with mysqladmin, you can set the password for the specified user However, this option requires the user's current password If you need to set a password and do not know the user's current password, use the SET PASSWORDcommand.
When MySQL is first installed, the root user may be set up with no password or a default password To secure the MySQL server, you should immediately change the password for this user using SET PASSWORDor
mysqladmin password. MODIFY USER PASSWORDS
210
MODIFY USER PASSWORDS
Trang 5›Type SET PASSWORD FOR
and press Enter
ˇType nancy =
PASSWORD('pass2');
and press Enter
■ This sets another user's
password
ÁType SELECT PASSWORD('newpass');
and press Enter
■ This demonstrates the
PASSWORD function and displays an encrypted result
in MySQL are limited to a length of 16 characters There is no limit to password length in MySQL, but some systems limit the length to eight characters While the username and password can be the same as a UNIX or Windows user account, they are separate and do not need to
be the same.
When you choose a password, be sure to make it difficult to guess Names and words that appear in the dictionary are bad choices for passwords.
The ideal choice is a combination of random letters mixed with numbers, although truly random passwords are not easy for users to remember.
Because MySQL stores passwords encrypted using the PASSWORD
function, knowing the encrypted password for a user is as good as knowing the real password Do not allow users to view the grant tables, described later in this chapter, as the encrypted passwords would be displayed.
When users specify a password on the command line to mysqlor other client programs, other users may be able to see the password in the system's process list A better strategy is to store the password in a my.cnf file in each user's home directory This file is explained in Chapter 10.
Trang 6Note: The users referred to in this
example were created in the section
“Grant Privileges to Users.”
⁄From the MySQL monitor,
type SHOW GRANTS FOR
nancy; and press Enter
■ The privileges for the user
are displayed
Note: You must be connected to MySQL as the root user or another user that can grant privileges to use this command
¤Type SHOW GRANTS FOR fred; and press Enter
■ This user's privileges are
displayed
You can use the VIEW GRANTScommand from the
MySQL monitor to find out what privileges have been
granted to a particular user This is useful if you need
to check what abilities have been given to a user For
example, the following statement displays the privileges
granted to the user fred:
SHOW GRANTS FOR fred;
The results for SHOW GRANTSare presented in the form
of one or more GRANTstatements You can copy these
statements and use them to restore the user's privileges
in the event of data loss, or use them to create another
user with the same privileges The password in the GRANT
statement is shown in encrypted form.
In some cases a user is configured in MySQL but does not
have any privileges This can happen if you create a user
manually in the users table, or if you have revoked all of a
user's privileges In this case, when you use SHOW GRANTS, the results show a GRANT USAGEstatement.USAGEis a special privilege meaning "no privileges." In other words, the user can connect to the MySQL server but cannot access any databases or tables.
When using SHOW GRANTS, remember that MySQL stores users as a combination of username and hostname If a username is configured with a specific host, you must specify the hostname to view their privileges If you have created the user ted@localhost, for example, no privileges will be shown if you use this command:
SHOW GRANTS FOR ted;
Because no hostname is specified, this command looks for
a user with access from all hosts, and no user is found To show the privileges for the correct user, specify the hostname with the @symbol.
VIEW A USER'S PRIVILEGES
212
VIEW A USER'S PRIVILEGES
Trang 7‹Type REVOKE ALL ON
testdb.quotes FROM fred;
and press Enter
■ This revokes all of the
user's privileges
›Type SHOW GRANTS FOR fred; and press Enter
■ The user's privileges now
include only the USAGE privilege, which allows access but no privileges
In order to use SHOW GRANTS, your username must have the
GRANT OPTIONin its list of privileges When you display the privileges for a user, the encrypted password is shown in theGRANTstatements, and this could be used to gain access
to the user's resources.
When you change a user's privileges using GRANTor REVOKE, the changes take effect immediately and are shown in subsequent SHOW GRANTScommands The privileges are checked both when a user attempts to connect to the MySQL server and when they issue each command after connecting.
You cannot use wildcards with SHOW GRANTSto display the privileges of multiple users To display a list of users or quickly view privileges for multiple users, you can access the grant tables directly, as described in the next section.
The GRANTstatements shown when you use SHOW GRANTSare
a summary of the user's privileges While they can be used to recreate the user's privileges, they are not necessarily the same commands you used to assign the privileges and create the user.
Trang 8⁄From the MySQL monitor,
type USE mysql; and press
Enter
■ The database is now
selected
Note: Usually you must be logged in
as the root user to access this database
¤Type SELECT * FROM user
and press Enter
‹Type WHERE User =
"fred"; and press Enter
■ The user's entry in the user
table is displayed
MySQL stores the users and privileges you assign in a
set of tables under the mysqldatabase, which was
created when you installed the server You can view
these tables directly to find out detailed information about
a user or to view the complete lists of users and privileges.
The mysqldatabase is accessible only to the root user
by default Because this database contains usernames,
passwords, and privileges for all users, access to it
effectively allows you to view or modify any user's
privileges on the server.
The user table within the mysqldatabase stores the list of
usernames and their basic privileges This table is used by
the MySQL server to determine whether to allow access
when a user attempts to connect Various columns of this
table store values of "Y" or "N" to indicate whether a
privilege is granted You can use the following command to
view the complete list of users:
SELECT * FROM user;
Because the output of this command includes encrypted passwords, be sure not to let anyone other than an administrator view the list.
The db table stores a row for each user that has privileges for a specific database on the server For each row, the username, hostname, and database name are stored along with flags indicating various privileges specific to the database for that user.
The host table stores information for specific hostnames, and is used when a user is given access from multiple hosts The tables_priv and columns_priv tables are used to store any privileges that have been granted to users specific to a table or one or more columns of a table.
VIEW SECURITY TABLES
214
VIEW SECURITY TABLES
Trang 9›Type DESCRIBE user; and
press Enter
■ This displays a summary of
the columns of the user table
ˇType DESCRIBE db; and press Enter
■ This displays the columns
of the db table
You can manipulate the tables in the database directly For example, you can use the following UPDATEquery to change a user's password rather than using the SET PASSWORDcommand.
Example:
UPDATE user SET Password=PASSWORD('newpass') WHERE user='fred';
You can also use INSERTqueries to add users or DELETEqueries to delete users from the user table You can also modify the other tables to add or remove privileges While this is rarely necessary, it gives you more complete access to the various settings stored in the tables and may be more practical than using GRANTand REVOKEin some cases.
When you have made changes to users or other tables in the mysql
database, they are not automatically reloaded by the server You can use the command FLUSH PRIVILEGESfrom the MySQL monitor, or
mysqladmin flush-privilegesfrom the command prompt, to force the tables to be reloaded They will also be reloaded if you restart the MySQL server.
While modifying these tables directly is powerful, it can also be dangerous:
You could easily delete the root username, for example, and lose root access to the server Use these tables with caution, or use the GRANTand
REVOKEcommands instead Also, be sure that you do not give any other users access to view or modify the tables in the mysqldatabase.
Trang 10Note: This example uses the testdb
database You must be connected to
MySQL as the root user or another
user that can grant privileges
⁄From the MySQL monitor,
type GRANT ALL ON testdb.*
TO henry@localhost and
press Enter
¤Type IDENTIFIED BY 'password'; and press Enter
■ This creates a user that can
access MySQL from the local host only
Note: For security, choose your own password rather than using the one given here
‹Type GRANT ALL ON testdb.* TO sue@example.com
and press Enter
›Type IDENTIFIED BY 'password'; and press Enter
■ This creates a user that can
connect to MySQL from the example.com host only Note: For security, choose a different password
216
CONTROL NETWORK ACCESS
When you created users on the MySQL server earlier
in this chapter, you did not specify a hostname in
the GRANTcommand This allows the user to
connect to the MySQL server from any host on the
network While this is often what you need, when a user
will only be connecting from the local host or a specific
host, you can give them access only from certain hosts This
greatly reduces the possibility of the user account being
used maliciously across the network.
To specify the hostname a user can connect from, use the
@symbol to combine the user name and hostname For
example, the following GRANTcommand creates a username,
henry, that can be used to connect only from the machine
running MySQL server:
GRANT ALL ON testdb.* TO henry@localhost
IDENTIFIED BY 'password';
MySQL allows multiple users with the same name in the
user table, as long as their hostnames are different For this
reason, limiting the user to the local host will only work if
you have not previously granted privileges to the same username without specifying a hostname If you have done this, use REVOKEto remove the privileges for the original user before adding a user with a specified hostname You can specify a hostname or IP address that the user can connect from instead of using localhost For example, the following GRANTcommand creates a username, sue, that can connect only from a host called example.com:
GRANT ALL ON testdb.* TO sue@example.com IDENTIFIED BY 'password';
If you need to allow access for a user from more than one host, simply repeat the GRANTcommand for each hostname You can use the wildcard character %in the hostname to allow a set of host names or IP addresses When you do this, you must enclose the username and hostname in quotation marks:
GRANT ALL ON testdb.* TO 'user1'@'192.168.%';
CONTROL NETWORK ACCESS