MySQL數據庫高危權限回收參考

1. 基本操做指令

一、查看當前系統數據庫

# mysql -uroot -p
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| erp              |
+--------------------+
3 rows in set (0.00 sec)

二、切換數據庫

mysql> use erp;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed

2. 權限回收準備工做

一、統計當前環境全部的用戶（%表示全部機器可訪問；127.0.0.一、localhost表示本機可訪問）

mysql> SELECT DISTINCT CONCAT('User: ''',user,'''@''',host,''';') AS query FROM mysql.user;
+-----------------------------------------+
| query                                   |
+-----------------------------------------+
| User: 'root'@'%';                       |
| User: 'root'@'127.0.0.1';               |
| User: 'root'@'::1';                     |
| User: ''@'localhost';                   |
| User: 'root'@'localhost';               |
| User: 'erp'@'%';                       |
+-----------------------------------------+
5 rows in set (0.00 sec)

二、統計業務用戶具備哪些權限以用戶名erp舉例以下

mysql> show grants for 'erp'@'%';
+------------------------------------------------------------------------------------+
| Grants for erp@%                                                         |
+------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'erp'@'%' IDENTIFIED BY PASSWORD '*******'      |
| GRANT ALL PRIVILEGES ON `ump`.* TO 'ump'@'%'                          |
+------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

3. 操做回收高危權限

一、回收全部權限或回收某一權限，好比drop權限

mysql> revoke all privileges on erp.* from 'erp'@'%';
mysql> revoke drop on erp.* from 'erp'@'%';
mysql> flush privileges;

備註：
（1）列舉部分特殊的服務器權限及其功能說明：

super：擁有此權限容許用戶終止任何查詢；修改全局變量的SET語句；使用CHANGE MASTER，PURGE MASTER LOGS
shutdown：關閉數據庫
show databases：查看數據庫
replication client：查詢master server、slave server狀態
replication slave：查看從服務器
reload：擁有此權限纔可執行flush [tables | logs | privileges]
process：擁有此權限才能夠執行SHOW PROCESSLIST和KILL命令
file：擁有file權限才能夠執行 select ..into outfile和load data infile…操做

（2）普通用戶權限及其功能說明：

all：容許任何操做(usage權限不能被回收)
usage：只容許登陸
alter：修改數據庫的表
alter routine：修改/刪除存儲過程
create：建立表
create routine：建立存儲過程
create temporary tables：建立臨時表
create：建立新的數據庫或表
create view：建立視圖
delete：刪除表數據
drop：刪除數據庫/表
event：建立/更改/刪除/查看事件
execute：執行權限
grant option：將自身所擁有的權限授予其餘用戶
index：建立/刪除索引
insert：添加表數據
lock tables：鎖表
references：將其它表的一個字段做爲某一個表的外鍵約束
select：查詢表數據
show view：查看視圖
trigger：建立觸發器
update：更新表數據

二、從新受權必要權限

mysql> grant select,insert,alter,update,delete,create,execute on erp.* to 'erp'@'%' ;
mysql> flush privileges;

三、確認權限

mysql> show grants for 'erp'@'%';

4. 注意事項

1）、file, process, super爲危險權限，切勿權限授予管理員之外的帳號；

mysql> revoke file,process,super on erp.* from 'erp'@'%';

2）、查看某個或全部用戶的服務器權限，確認普通帳號沒有受權上述三種危險權限

mysql> select * from mysql.user where user='erp'\G;
*************************** 1. row ***************************
                  Host: %
                  User: erp
              Password: *33F471D4D8A84CD6C0
           Select_priv: N
           Insert_priv: N
           Update_priv: N
           Delete_priv: N
           Create_priv: N
             Drop_priv: N
           Reload_priv: N
         Shutdown_priv: N
          Process_priv: N
             File_priv: N
            Grant_priv: N
       References_priv: N
            Index_priv: N
            Alter_priv: N
          Show_db_priv: N
            Super_priv: N
 Create_tmp_table_priv: N
      Lock_tables_priv: N
          Execute_priv: N
       Repl_slave_priv: N
      Repl_client_priv: N
      Create_view_priv: N
        Show_view_priv: N
   Create_routine_priv: N
    Alter_routine_priv: N
      Create_user_priv: N
            Event_priv: N
          Trigger_priv: N
Create_tablespace_priv: N
              ssl_type: 
            ssl_cipher: 
           x509_issuer: 
          x509_subject: 
         max_questions: 0
           max_updates: 0
       max_connections: 0
  max_user_connections: 0
                plugin: mysql_native_password
 authentication_string: 
      password_expired: N
1 row in set (0.00 sec)
mysql> select * from mysql.user \G;

3）、授予某張表權限，權限信息保存在mysql.tables_priv表中

mysql> grant select on dbname.tablename to 'username'@'%' with grant option;
mysql> select * from mysql.tables_priv;
select * from mysql.tables_priv;
+-----------+-----+-------+------------+----------------+---------------------+-------+
| Host | Db  | User  | Table_name  | Grantor | Timestamp | Table_priv | Column_priv |
+-----------+-----+-------+------------+----------------+---------------------+-------+
| % | dbname | username | tablename | root@localhost | 0000-00-00 00:00:00 | Select,Grant |             |
+-----------+-----+-------+------------+----------------+---------------------+-------+

4）、授予某個字段權限，權限信息保存在mysql.columns_priv表中

mysql> grant select(Column_name) on dbname.tablename to 'username'@'%' with grant option;
mysql> select * from mysql.columns_priv;
select * from mysql.columns_priv;
+-----------+-----+-------+------------+-------------+---------------------+----------+
| Host   | Db  | User  | Table_name | Column_name | Timestamp   | Column_priv |
+-----------+-----+-------+------------+-------------+---------------------+----------+
| % | dbname | username | tablename | Column_name | 0000-00-00 00:00:00 | Select|
+-----------+-----+-------+------------+-------------+---------------------+----------+

5）、當使用以下命令回收權限時，它回收的只是全局的權限，username用戶其餘的權限，好比對dbname數據庫的權限，對tablename表的權限，對某個Column_name字段的權限仍然持有。

mysql> revoke all privileges on *.* from 'username'@'localhost';

因此爲了回收用戶的全部權限，要使用以下命令

mysql> revoke all privileges,grant option from 'username'@'%';

5. 結束