7人参与 • 2026-01-31 • Mysql
# mysql -uroot -p mysql> show databases; +--------------------+ | database | +--------------------+ | information_schema | | mysql | | performance_schema | | erp | +--------------------+ 3 rows in set (0.00 sec)
mysql> use erp; reading table information for completion of table and column names you can turn off this feature to get a quicker startup with -a database changed
mysql> select distinct concat('user: ''',user,'''@''',host,''';') as query from mysql.user;
+-----------------------------------------+
| query |
+-----------------------------------------+
| user: 'root'@'%'; |
| user: 'root'@'127.0.0.1'; |
| user: 'root'@'::1'; |
| user: ''@'localhost'; |
| user: 'root'@'localhost'; |
| user: 'erp'@'%'; |
+-----------------------------------------+
5 rows in set (0.00 sec)
mysql> show grants for 'erp'@'%'; +------------------------------------------------------------------------------------+ | grants for erp@% | +------------------------------------------------------------------------------------+ | grant usage on *.* to 'erp'@'%' identified by password '*******' | | grant all privileges on `ump`.* to 'ump'@'%' | +------------------------------------------------------------------------------------+ 2 rows in set (0.00 sec)
mysql> revoke all privileges on erp.* from 'erp'@'%'; mysql> revoke drop on erp.* from 'erp'@'%'; mysql> flush privileges;
备注:
(1)列举部分特殊的服务器权限及其功能说明:
super:拥有此权限允许用户终止任何查询;修改全局变量的set语句;使用change master,purge master logs shutdown:关闭数据库 show databases:查看数据库 replication client:查询master server、slave server状态 replication slave:查看从服务器 reload:拥有此权限才可执行flush [tables | logs | privileges] process:拥有此权限才可以执行show processlist和kill命令 file:拥有file权限才可以执行 select ..into outfile和load data infile…操作
(2)普通用户权限及其功能说明:
all:允许任何操作(usage权限不能被回收)
usage:只允许登录
alter:修改数据库的表
alter routine:修改/删除存储过程
create:创建表
create routine:创建存储过程
create temporary tables:创建临时表
create:创建新的数据库或表
create view:创建视图
delete:删除表数据
drop:删除数据库/表
event:创建/更改/删除/查看事件
execute:执行权限
grant option:将自身所拥有的权限授予其他用户
index:创建/删除索引
insert:添加表数据
lock tables:锁表
references:将其它表的一个字段作为某一个表的外键约束
select:查询表数据
show view:查看视图
trigger:创建触发器
update:更新表数据
mysql> grant select,insert,alter,update,delete,create,execute on erp.* to 'erp'@'%' ; mysql> flush privileges;
mysql> show grants for 'erp'@'%';
1)、file, process, super为危险权限,切勿权限授予管理员以外的账号;
mysql> revoke file,process,super on erp.* from 'erp'@'%';
2)、查看某个或所有用户的服务器权限,确认普通账号没有授权上述三种危险权限
mysql> select * from mysql.user where user='erp'\g;
*************************** 1. row ***************************
host: %
user: erp
password: *33f471d4d8a84cd6c0
select_priv: n
insert_priv: n
update_priv: n
delete_priv: n
create_priv: n
drop_priv: n
reload_priv: n
shutdown_priv: n
process_priv: n
file_priv: n
grant_priv: n
references_priv: n
index_priv: n
alter_priv: n
show_db_priv: n
super_priv: n
create_tmp_table_priv: n
lock_tables_priv: n
execute_priv: n
repl_slave_priv: n
repl_client_priv: n
create_view_priv: n
show_view_priv: n
create_routine_priv: n
alter_routine_priv: n
create_user_priv: n
event_priv: n
trigger_priv: n
create_tablespace_priv: n
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin: mysql_native_password
authentication_string:
password_expired: n
1 row in set (0.00 sec)
mysql> select * from mysql.user \g;
3)、授予某张表权限,权限信息保存在mysql.tables_priv表中
mysql> grant select on dbname.tablename to 'username'@'%' with grant option; mysql> select * from mysql.tables_priv; select * from mysql.tables_priv; +-----------+-----+-------+------------+----------------+---------------------+-------+ | host | db | user | table_name | grantor | timestamp | table_priv | column_priv | +-----------+-----+-------+------------+----------------+---------------------+-------+ | % | dbname | username | tablename | root@localhost | 0000-00-00 00:00:00 | select,grant | | +-----------+-----+-------+------------+----------------+---------------------+-------+
4)、授予某个字段权限,权限信息保存在mysql.columns_priv表中
mysql> grant select(column_name) on dbname.tablename to 'username'@'%' with grant option; mysql> select * from mysql.columns_priv; select * from mysql.columns_priv; +-----------+-----+-------+------------+-------------+---------------------+----------+ | host | db | user | table_name | column_name | timestamp | column_priv | +-----------+-----+-------+------------+-------------+---------------------+----------+ | % | dbname | username | tablename | column_name | 0000-00-00 00:00:00 | select| +-----------+-----+-------+------------+-------------+---------------------+----------+
5)、当使用如下命令回收权限时,它回收的只是全局的权限,username用户其他的权限,比如对dbname数据库的权限,对tablename表的权限,对某个column_name字段的权限仍然持有。
mysql> revoke all privileges on *.* from 'username'@'localhost';
所以为了回收用户的所有权限,要使用如下命令
mysql> revoke all privileges,grant option from 'username'@'%';
到此这篇关于mysql数据库高危权限回收的实现的文章就介绍到这了,更多相关mysql数据库高危权限回收内容请搜索代码网以前的文章或继续浏览下面的相关文章希望大家以后多多支持代码网!
您想发表意见!!点此发布评论
版权声明:本文内容由互联网用户贡献,该文观点仅代表作者本人。本站仅提供信息存储服务,不拥有所有权,不承担相关法律责任。 如发现本站有涉嫌抄袭侵权/违法违规的内容, 请发送邮件至 2386932994@qq.com 举报,一经查实将立刻删除。
发表评论