In the first two days, when I gave a friend to organize his homepage, I found some questions about MySQL may ignore questions:
We know, after installing MySQL, it will automatically create a root user and an anonymous user. The initial password is empty. For the former, many reference materials will remind everyone to pay attention to set a password in time, and after ignore it. In fact, it is because the latter is set to only the machine used by this machine.
But if your MySQL is to provide a database service to the web server, ignore this anonymous user's price may be quite ambiguous, because under default settings, this anonymous user has almost owned with root on localhost, this time if Your customers have uploaded scriptes, and the script files can be used for mysql database operations (such as the php of Mysql), which may have changed your MySQL to be more affected:
When I gave a friend to organize his home space, I tried to write a very simple PHP file that implemented the SQL statement, where the connection word in the connection word, PASSWORD I tried air, host = localhost, the results found My SQL statement can be executed, so I execute SELECT * from mysql.user to view user permissions, and find that this user is very high in localhost permissions, even Grant_Priv has, (when viewed, there will be two lines of username under root users, The password is empty, but the permissions have Y / N, which is this anonymous user local, remote authority settings)
So I tried to create a new user with this PHP page, and grand gives him a higher authority, the result is successful, so I can use this new user through my Mysql Client to MySQL Server to this website, and use this The newly established user administers manage this website's MySQL Server, see you can easily get in-depth database operations, how can I dare to put the sensitive information of my friend's homepage in this mysql server?
Suggestions for Improvement:
1. After installing MySQL, not only change the password of the root user, but also change the password of the anonymous user, the method is similar to changing the root password:
MySQL> Update User Set Password = Password (YourNewPassword) Where user = /;
Mysql> flush privileges;
2. If it is not necessary, remove this anonymous user, so everyone must provide the username by using MySQL, even if the problem has been issued, it is easy to find the source of the problem.
3. In addition to root users, other users include anonymous users (if this user is not deleted) should not have GRANT permissions to prevent management privileges from being spread out.
4. When you give Update / Delete / Alert / Create / DROP permissions, you should define a specific database, especially to avoid the permissions of ordinary customers to do operations for MySQL databases, otherwise your system settings are likely to be replaced.
5. Check the mysql.user table, cancel the unnecessary user's Shutdown_Priv, Reload_Priv, Process_Priv, and File_Priv permissions, which may leak more server information to include non-mysql other information.
6. If you don't plan to make your users use the MySQL database, reset or compile your PHP when providing scripting languages such as PHP, and cancel the default support for MySQL.
From: Very linux
