我在 SLES 11 SP2 上运行 MySQLserver 版本 5.0.96,我正在寻找更改用户密码的安全方法。当然,通过以下方式更改用户密码非常容易:
SET PASSWORD FOR 'user'@'192.168.0.%' = PASSWORD('mysecret');
但是这个查询会进入查询日志、二进制日志和 MySQL 历史文件。为了防止这种情况,我使用了:
export MYSQL_HISTFILE=/dev/null
在启动客户端之前,以及:
SET sql_log_bin = 0;
SET sql_log_off = 1;
之后。 grep 和 mysqlbinlog 证明我的计划是一致的,但我忽略了 MySQL 已经悄悄地将/dev/null 的文件模式位更改为 0600。糟糕!
此时,我问自己是否有更好的方法来安全地更改用户密码。现在我问你:
安全更改 MySQL 服务器用户密码的最佳方法是什么?
最佳答案
好像是根据dev.mysql ,他们建议只保护日志而不是清理它们。
To guard against unwarranted exposure to log files, they should be located in a directory that restricts access to only the server and the database administrator.
Replication slaves store the password for the replication master in the master.info file. Retrict this file to be accessible only to the database administrator.
Database backups that include tables or log files containing passwords should be protected using a restricted access mode.
看起来这个问题在 MySQL 的更高版本中得到了更优雅的修复。请参阅:http://dev.mysql.com/doc/refman/5.7/en/password-logging.html
In MySQL 5.7, statement logging avoids writing passwords in plain text for the following statements:
CREATE USER ... IDENTIFIED BY ... GRANT ... IDENTIFIED BY ... SET PASSWORD ... SLAVE START ... PASSWORD = ... CREATE SERVER ... OPTIONS(... PASSWORD ...) ALTER SERVER ... OPTIONS(... PASSWORD ...)
Passwords in those statements are rewritten not to appear literally in statement text, for the general query log, slow query log, and binary log. Rewriting does not apply to other statements.
因此,除非您可以升级到更高版本,否则您的解决方案似乎是正确的。
关于mysql - 更改用户mysql密码以确保安全——最佳实践,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/17941094/