1. Basic operating instructions
1. View the current system database
# mysql -uroot -p
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| erp |
+--------------------+
3 rows in set (0.00 sec)
2. Switch database
mysql> use erp;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
2. Preparation for permission recovery
1. Count all users in the current environment (% means all machines are accessible; 127.0.0.1, localhost means this machine is accessible)
mysql> SELECT DISTINCT CONCAT('User: ''',user,'''@''',host,''';') AS query FROM mysql.user;
+-----------------------------------------+
| query |
+-----------------------------------------+
| User: 'root'@'%'; |
| User: 'root'@'127.0.0.1'; |
| User: 'root'@'::1'; |
| User: ''@'localhost'; |
| User: 'root'@'localhost'; |
| User: 'erp'@'%'; |
+-----------------------------------------+
5 rows in set (0.00 sec)
2. What permissions does the statistical business user have, as an example of the user name erp as follows
mysql> show grants for 'erp'@'%';
+------------------------------------------------------------------------------------+
| Grants for erp@% |
+------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'erp'@'%' IDENTIFIED BY PASSWORD '*******' |
| GRANT ALL PRIVILEGES ON `ump`.* TO 'ump'@'%' |
+------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
3. Operational recovery of high-risk permissions
1. Recover all permissions or recover a certain permission, such as drop permission
mysql> revoke all privileges on erp.* from 'erp'@'%';
mysql> revoke drop on erp.* from 'erp'@'%';
mysql> flush privileges;
Remarks:
(1) List some special server permissions and their function descriptions:
super:拥有此权限允许用户终止任何查询;修改全局变量的SET语句;使用CHANGE MASTER,PURGE MASTER LOGS
shutdown:关闭数据库
show databases:查看数据库
replication client:查询master server、slave server状态
replication slave:查看从服务器
reload:拥有此权限才可执行flush [tables | logs | privileges]
process:拥有此权限才可以执行SHOW PROCESSLIST和KILL命令
file:拥有file权限才可以执行 select ..into outfile和load data infile…操作
(2) Ordinary user authority and function description:
all:允许任何操作(usage权限不能被回收)
usage:只允许登录
alter:修改数据库的表
alter routine:修改/删除存储过程
create:创建表
create routine:创建存储过程
create temporary tables:创建临时表
create:创建新的数据库或表
create view:创建视图
delete:删除表数据
drop:删除数据库/表
event:创建/更改/删除/查看事件
execute:执行权限
grant option:将自身所拥有的权限授予其他用户
index:创建/删除索引
insert:添加表数据
lock tables:锁表
references:将其它表的一个字段作为某一个表的外键约束
select:查询表数据
show view:查看视图
trigger:创建触发器
update:更新表数据
2. Re-authorize necessary permissions
mysql> grant select,insert,alter,update,delete,create,execute on erp.* to 'erp'@'%' ;
mysql> flush privileges;
3. Confirm permissions
mysql> show grants for 'erp'@'%';
4. Matters needing attention
1) File, process, and super are dangerous permissions, do not grant permissions to accounts other than the administrator;
mysql> revoke file,process,super on erp.* from 'erp'@'%';
2) Check the server permissions of one or all users and confirm that the ordinary account does not authorize the above three dangerous permissions
mysql> select * from mysql.user where user='erp'\G;
*************************** 1. row ***************************
Host: %
User: erp
Password: *33F471D4D8A84CD6C0
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Repl_client_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
Create_tablespace_priv: N
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin: mysql_native_password
authentication_string:
password_expired: N
1 row in set (0.00 sec)
mysql> select * from mysql.user \G;
3) Grant a table permission, the permission information is stored in the mysql.tables_priv table
mysql> grant select on dbname.tablename to 'username'@'%' with grant option;
mysql> select * from mysql.tables_priv;
select * from mysql.tables_priv;
+-----------+-----+-------+------------+----------------+---------------------+-------+
| Host | Db | User | Table_name | Grantor | Timestamp | Table_priv | Column_priv |
+-----------+-----+-------+------------+----------------+---------------------+-------+
| % | dbname | username | tablename | root@localhost | 0000-00-00 00:00:00 | Select,Grant | |
+-----------+-----+-------+------------+----------------+---------------------+-------+
4), grant a field permission, the permission information is stored in the mysql.columns_priv table
mysql> grant select(Column_name) on dbname.tablename to 'username'@'%' with grant option;
mysql> select * from mysql.columns_priv;
select * from mysql.columns_priv;
+-----------+-----+-------+------------+-------------+---------------------+----------+
| Host | Db | User | Table_name | Column_name | Timestamp | Column_priv |
+-----------+-----+-------+------------+-------------+---------------------+----------+
| % | dbname | username | tablename | Column_name | 0000-00-00 00:00:00 | Select|
+-----------+-----+-------+------------+-------------+---------------------+----------+
5) When using the following command to reclaim permissions, it reclaims only global permissions. Other permissions of the username user, such as permissions on the dbname database, permissions on the tablename table, and permissions on a certain Column_name field still hold.
mysql> revoke all privileges on *.* from 'username'@'localhost';
So in order to reclaim all permissions of the user, use the following command
mysql> revoke all privileges,grant option from 'username'@'%';