Rails-以root身份连接到MySQL
[英]Rails - Connecting to MySQL as root
问题描述
I am currently using MySQL for my Rails application. 
我目前在MySQL for Rails应用程序中使用MySQL。 In my database.yml, I have the following: 在我的database.yml中,我具有以下内容:
production:
adapter: mysql2
database: application_name_production
username: root
password: password
host: localhost
I'm wondering, is it ok to connect to the database as user root? 我想知道,是否可以以root用户身份连接到数据库? Will it be any less secure than using another user other than root? 它会比使用root以外的其他用户安全吗?
3 个解决方案
解决方案1
3 已采纳 2012-08-10 11:59:20
This is stored in plaintext, so yes, it's a very bad thing to do. 这是以明文形式存储的,所以是的,这是一件非常不好的事情。 If someone ever gets access to your webserver, het can read the password. 如果有人访问了您的网络服务器,则可以读取密码。 And hey, it's probably the same password for the user root to access the whole system :) 嘿,root用户访问整个系统的密码可能相同:)
Create a database user that can only work with the application specific database. 创建一个只能与特定于应用程序的数据库一起使用的数据库用户。 Then only that data can be stolen/edited/destroyed if someone steals your database.yml. 如果有人窃取了您的database.yml,则只有该数据才能被盗/编辑/销毁。 Do not use a password that has been used elsewhere. 不要使用在其他地方使用过的密码。
As you can expect, a hacker will immediatly search for database.yml files using an automated script when he breaks into your system. 如您所料,黑客入侵您的系统后,会立即使用自动脚本立即搜索database.yml文件。 So within one second of entering your system, he can access all your data. 因此,在进入您的系统后一秒钟之内,他就可以访问您的所有数据。
解决方案2
2 2012-08-10 12:11:16
Having separate user with set of required permissions only for a database (and any system) provides additional step against hackers 仅对数据库(和任何系统)具有单独的用户并具有一组必需的权限,这提供了针对黑客的附加步骤
So why not spend 5 minutes to create a separate user to save hours on recovering from possible hacker attacks? 那么,为什么不花5分钟创建一个单独的用户来节省数小时的时间来从可能的黑客攻击中恢复呢?
解决方案3
1 2012-08-10 12:23:27
Giving out root password (for the system, databases, ...) is something that is very bad. 给出root密码(对于系统,数据库等)是很不好的。 It is like giving every tom, dick and harry a set of your front door keys. 这就像给每个tom,dick和harry一套前门钥匙一样。
So just spend a little time creating users with the appropriate permissions. 因此,只需花一点时间来创建具有适当权限的用户。 This will achieve the added advantage of protecting the integrity of your system, the database, the tables and the operations that can be performed. 这将获得保护系统,数据库,表和可以执行的操作的完整性的附加优势。
In my opinion I just use stored procedures for the web sites access and only grant execution from stored procedures. 在我看来,我只使用存储过程来访问网站,并且只授予执行存储过程的权限。 This ensures that nothing nasty can creep in and maintain performance as the cards are kept close to the databases chest. 这样可以确保在卡靠近数据库存储箱的情况下,不会有任何令人讨厌的东西进入并保持性能。 After all the database for a web site is one on the biggest asserts. 毕竟,一个网站的数据库是最大的断言之一。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.