完全奇怪:删除 MySQL 用户允许我仍然以空密码的用户身份登录
[英]Totally bizzare: deleting a MySQL user allows me to still login as that user with an empty password
问题描述
Using MySQL 5.5 on Arch Linux, when I create a localhost user with a password and give it all privileges to all tables and then delete that user, I can still login as that user without typing in a password.
在 Arch Linux 上使用 MySQL 5.5,当我使用密码创建一个 localhost 用户并将其授予所有表的所有权限然后删除该用户时,我仍然可以以该用户身份登录而无需输入密码。
Steps to reproduce:重现步骤:
# mysql -u root -h localhost -p
Enter password: <root password>
mysql> create user 'test'@'localhost' identified by 'testing123';
mysql> grant all on *.* to 'test'@'localhost' identified by 'testing123';
mysql> select * from mysql.user where user='test';
1 row in set (0.00 sec)
mysql> exit
# mysql -u test -h localhost -p
Enter password: testing123
mysql> show databases;
mysql> exit
# mysql -u root -h localhost -p
Enter password: <root password>
mysql> delete from mysql.user where user='test';
Query OK, 1 row affected (0.00 sec)
mysql> FLUSH PRIVILEGES;
mysql> select * from mysql.user where user='test';
Empty set (0.00 sec)
mysql> exit
# mysql -u test -h localhost
mysql> (Why?)
Not only that, but the "non-existing" test user can still exercise all of the same privileges.不仅如此,“不存在的”测试用户仍然可以行使所有相同的权限。 Major security problem.重大安全问题。 If I restart the server, it still lets me login without a password.如果我重新启动服务器,它仍然可以让我在没有密码的情况下登录。
1 个解决方案
解决方案1
4 已采纳 2011-06-30 07:29:54
I finally figured out what was happening.我终于弄清楚发生了什么。 By default, in the user table there is an anonymous user @ localhost.默认情况下,在用户表中有一个匿名用户@localhost。 This user is automatically matched with any attempted username and logged in as that anonymous user.该用户会自动与任何尝试使用的用户名匹配,并以该匿名用户身份登录。 Kind of strange, I know.有点奇怪,我知道。 To get rid of the anonymous user, login as root and perform the following command:要摆脱匿名用户,请以 root 身份登录并执行以下命令:
drop user ''@localhost;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.