Mysql 默认值''@';本地主机';用户允许不带密码的不存在用户名登录,并阻止真实用户登录
这是故意的行为还是我遗漏了什么Mysql 默认值''@';本地主机';用户允许不带密码的不存在用户名登录,并阻止真实用户登录,mysql,security,Mysql,Security,这是故意的行为还是我遗漏了什么 -- Abstract: if there's ''@'localhost' user, can login with any username without password, -- and any users @'%' will be ignored on login. -------[Root connection]------- -- All mysql installations I've seen so far have ''@'localho
-- Abstract: if there's ''@'localhost' user, can login with any username without password,
-- and any users @'%' will be ignored on login.
-------[Root connection]-------
-- All mysql installations I've seen so far have ''@'localhost' user record.
mysql> select host, user from mysql.user;
+-----------+--------+
| host | user |
+-----------+--------+
| 127.0.0.1 | root |
| ::1 | root |
| localhost | |
| localhost | root |
+-----------+--------+
4 rows in set (0.00 sec)
-------[Another connection]-------
-- This allows login with ANY username without password from localhost!
$ mysql -u myuser -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11222
Server version: 5.6.16 MySQL Community Server (GPL)
mysql> quit
Bye
-- Or even without username at all
$ mysql -u '' -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11223
Server version: 5.6.16 MySQL Community Server (GPL)
mysql> quit
Bye
-------[Root connection]-------
-- Let's create a user @'%'
mysql> grant all on mydb.* to 'myuser'@'%' identified by '123123';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
-------[Another connection]-------
-- This user is ignored
$ mysql -u myuser -p
Enter password: 123123
ERROR 1045 (28000): Access denied for user 'myuser'@'localhost' (using password: YES)
-------[Root connection]-------
-- Let's remove the empty user record
mysql> drop user ''@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
-- And make sure that we're ok
mysql> select Host, User from mysql.user;
+-----------+------+
| Host | User |
+-----------+------+
| 127.0.0.1 | root |
| ::1 | root |
| localhost | root |
+-----------+------+
3 rows in set (0.00 sec)
-------[Another connection]-------
-- Able to login with the correct user!
$ mysql -u myuser -p
Enter password: 123123
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11228
Server version: 5.6.16 MySQL Community Server (GPL)
-- And check the permissions
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mydb |
| test |
+--------------------+
3 rows in set (0.00 sec)
mysql> quit
Bye
你有问题吗?我有一个问题,这是故意的行为还是我遗漏了什么?是的,这就是记录用户访问的方式