更新时间:2022-10-26 GMT+08:00

空用户的危害

MySQL中是允许用户名为 '' 的用户存在,本章节介绍数据库中存在这种空用户时的危害。

MySQL中使用空用户时,它将可以匹配任何用户名。这一特性也会带来多种安全性、功能性危害。所以,在实际使用过程中应避免使用空用户。

  • 安全性危害
    • 当存在空用户时,连接时可以使用任意用户名进行登录。
    • 如果空用户有密码,则使用任意用户名和空用户的密码即可登录数据库,并获得空用户所拥有的所有权限。示例:
      #没有空用户时,使用非法用户名‘abcd’,连接失败 
      mysql> select user,host from mysql.user; 
      +------------------+-----------+
      | user             | host      | 
      +------------------+-----------+
      | root             | %         | 
      | mysql.infoschema | localhost | 
      | mysql.session    | localhost | 
      | mysql.sys        | localhost | 
      +------------------+-----------+
      mysql -uabcd -h127.0.0.1 -P3306 -pTest_1234 
      mysql: [Warning] Using a password on the command line interface can be insecure. 
      ERROR 1045 (28000): Access denied for user 'abcd'@'localhost' (using password: YES) 
      
      # 创建空用户后,使用非法用户名‘abcd’,密码用空用户的密码,连接成功  
      mysql> create user ''@'localhost' IDENTIFIED BY 'Test_1234'; 
      mysql> select user,host from mysql.user; 
      +------------------+-----------+
      | user             | host      | 
      +------------------+-----------+
      | root             | %         | 
      |                  | localhost | 
      | mysql.infoschema | localhost | 
      | mysql.session    | localhost | 
      | mysql.sys        | localhost | 
      +------------------+-----------+ 
      mysql -uabcd -h127.0.0.1 -P3306 -pTest_1234 
      mysql: [Warning] Using a password on the command line interface can be insecure. 
      Welcome to the MySQL monitor.  Commands end with ; or \g. 
      Your MySQL connection id is 37Server version: 8.0.22-debug Source distribution 
      Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. 
      Oracle is a registered trademark of Oracle Corporation and/or its affiliates. 
      Other names may be trademarks of their respective owners. 
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
      mysql> 
    • 如果空用户没有密码,则使用任意用户名即可免密登录数据库,并获得空用户所拥有的所有权限。示例:
      #存在无密码的空用户时,可以使用任意用户免密登录数据库。  
      mysql> create user ''@'localhost'; 
      Query OK, 0 rows affected (8.87 sec) 
      mysql> select user,host from mysql.user; 
      +------------------+-----------+
      | user             | host      | 
      +------------------+-----------+
      | root             | %         | 
      |                  | localhost | 
      | mysql.infoschema | localhost | 
      | mysql.session    | localhost | 
      | mysql.sys        | localhost | 
      +------------------+-----------+
      mysql -uabcd -h127.0.0.1 -P3306 
      Welcome to the MySQL monitor.  Commands end with ; or \g. 
      Your MySQL connection id is 39Server version: 8.0.22-debug Source distribution 
      Copyright (c) 2000, 2020, Oracle and/or its affiliates. 
      All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. 
      Other names may be trademarks of their respective owners. 
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. 
      mysql>  
      #-----------------
      mysql -usdhsjkdshk -h127.0.0.1 -P3306 
      Welcome to the MySQL monitor.  Commands end with ; or \g. 
      Your MySQL connection id is 40Server version: 8.0.22-debug Source distribution 
      Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. 
      Oracle is a registered trademark of Oracle Corporation and/or its affiliates. 
      Other names may be trademarks of their respective owners. 
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. 
      mysql> 
  • 功能性危害

    当存在空用户时,可能因为匹配出错,导致正常的用户名无法登录。

    示例:存在空用户与root用户的host有重叠时,导致root用户无法使用密码登录,或者使用空用户的密码登录后无法进入root的权限。

    mysql> create user ''@'localhost'; 
    Query OK, 0 rows affected (8.87 sec)  
    mysql> select user,host from mysql.user; 
    +------------------+-----------+
    | user             | host      | 
    +------------------+-----------+
    | root             | %         | 
    |                  | localhost | 
    | mysql.infoschema | localhost | 
    | mysql.session    | localhost | 
    | mysql.sys        | localhost | 
    +------------------+-----------+
    # 用root的密码无法登录 
    mysql -uroot -h127.0.0.1 -P3306 -pTest_root 
    mysql: [Warning] Using a password on the command line interface can be insecure. 
    ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)  
    # 用空用户的密码(免密)登录后实际是空用户登录,没有root权限。 
    mysql -uroot -h127.0.0.1 -P3306  
    Welcome to the MySQL monitor.  Commands end with ; or \g. 
    Your MySQL connection id is 45Server version: 8.0.22-debug Source distribution 
    Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. 
    Oracle is a registered trademark of Oracle Corporation and/or its affiliates. 
    Other names may be trademarks of their respective owners. 
    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. 
    mysql> select user,host from mysql.user; 
    ERROR 1142 (42000): SELECT command denied to user ''@'localhost' for table 'user'
    mysql>