ProHoster > Blog > fitantanan-draharaha > Ahoana ny fampiasana MySQL tsy misy tenimiafina (sy ny risika fiarovana)

Ahoana ny fampiasana MySQL tsy misy tenimiafina (sy ny risika fiarovana)

Ahoana ny fampiasana MySQL tsy misy tenimiafina (sy ny risika fiarovana)

Milaza izy ireo fa ny tenimiafina tsara indrindra dia ilay tsy voatery ho tadidinao. Raha ny MySQL dia azo atao izany noho ny plugin auth_socket ary ny dikan-teny ho an'ny MariaDB - unix_socket.

Tsy vaovao mihitsy ireo plugins roa ireo; be dia be ny voalaza momba azy ireo ato amin'ity bilaogy ity, ohatra ao amin'ny lahatsoratra momba ny ny fomba hanovana tenimiafina ao amin'ny MySQL 5.7 mampiasa auth_socket plugin. Na izany aza, teo am-pijerena izay vaovao ao amin'ny MariaDB 10.4 aho dia hitako fa ny unix_socket dia napetraka amin'ny alΓ lan'ny default ary iray amin'ireo fomba fanamarinana ("iray amin'ny", satria ao amin'ny MariaDB 10.4 mihoatra ny plugin iray no azon'ny mpampiasa iray ho an'ny fanamarinana, izay dia hazavaina ao amin'ny antontan-taratasy "Authentication" avy amin'ny MariaDB 10.04).

Araka ny nolazaiko dia tsy vaovao izany, ary rehefa mametraka MySQL amin'ny fampiasana ny fonosana .deb tohanan'ny ekipa Debian, dia misy mpampiasa root iray noforonina ho an'ny fanamarinana socket. Marina izany ho an'ny MySQL sy MariaDB.

root@app:~# apt-cache show mysql-server-5.7 | grep -i maintainers
Original-Maintainer: Debian MySQL Maintainers <[email protected]>
Original-Maintainer: Debian MySQL Maintainers <<a href="mailto:[email protected]">[email protected]</a>>

Miaraka amin'ny fonosana Debian ho an'ny MySQL, ny mpampiasa root dia voamarina toy izao manaraka izao:

root@app:~# whoami
root=
root@app:~# mysql
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 4
Server version: 5.7.27-0ubuntu0.16.04.1 (Ubuntu)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> select user, host, plugin, authentication_string from mysql.user where user = 'root';
+------+-----------+-------------+-----------------------+
| user | host      | plugin | authentication_string |
+------+-----------+-------------+-----------------------+
| root | localhost | auth_socket |                       |
+------+-----------+-------------+-----------------------+
1 row in set (0.01 sec)

Toy izany koa ny .deb fonosana ho an'ny MariaDB:

10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04

MariaDB [(none)]> show grants;
+------------------------------------------------------------------------------------------------+
| Grants for root@localhost                                                                      |
+------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION |
| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION                                  |
+------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

Ny fonosana .deb avy amin'ny tahiry ofisialin'ny Percona dia manamboatra ny fanamarinana ny mpampiasa faka eo ambanin'ny socket auth sy ho an'ny Server Percona. Andeha isika hanome ohatra amin'ny Server Percona ho an'ny MySQL 8.0.16-7 ary Ubuntu 16.04:

root@app:~# whoami
root
root@app:~# mysql
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 9
Server version: 8.0.16-7 Percona Server (GPL), Release '7', Revision '613e312'

Copyright (c) 2009-2019 Percona LLC and/or its affiliates
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> select user, host, plugin, authentication_string from mysql.user where user ='root';
+------+-----------+-------------+-----------------------+
| user | host      | plugin | authentication_string |
+------+-----------+-------------+-----------------------+
| root | localhost | auth_socket |                       |
+------+-----------+-------------+-----------------------+
1 row in set (0.00 sec)

Inona ary ny majika? Ny plugin dia manamarina fa ny mpampiasa Linux dia mifanandrify amin'ny mpampiasa MySQL amin'ny fampiasana ny safidy socket SO_PEERCRED mba hanangonana vaovao momba ny mpampiasa mitantana ny programa mpanjifa. Noho izany, ny plugin dia tsy azo ampiasaina afa-tsy amin'ny rafitra izay manohana ny safidy SO_PEERCRED, toy ny Linux. Ny safidy socket SO_PEERCRED dia ahafahanao mahita ny uid amin'ny dingana mifandraika amin'ny socket. Ary avy eo dia efa mahazo ny solon'anarana mifandray amin'io uid io izy.

Ity misy ohatra amin'ny mpampiasa "vagrant":

vagrant@mysql1:~$ whoami
vagrant
vagrant@mysql1:~$ mysql
ERROR 1698 (28000): Access denied for user 'vagrant'@'localhost'

Satria tsy misy mpampiasa "vagrant" ao amin'ny MySQL, dia tsy mahazo miditra izahay. Andao hamorona mpampiasa toy izany ary andramo indray:

MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'vagrant'@'localhost' IDENTIFIED VIA unix_socket;
Query OK, 0 rows affected (0.00 sec)

vagrant@mysql1:~$ mysql
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 45
Server version: 10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

MariaDB [(none)]> show grants;
+---------------------------------------------------------------------------------+
| Grants for vagrant@localhost                                                    |
+---------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'vagrant'@'localhost' IDENTIFIED VIA unix_socket |
+---------------------------------------------------------------------------------+
1 row in set (0.00 sec)

Nitranga!

Eny ary, ahoana ny momba ny fizarana tsy Debian izay tsy omena azy io? Andao andramana Percona Server ho an'ny MySQL 8 napetraka ao amin'ny CentOS 7:

mysql> show variables like '%version%comment';
+-----------------+---------------------------------------------------+
| Variable_name   | Value                                   |
+-----------------+---------------------------------------------------+
| version_comment | Percona Server (GPL), Release 7, Revision 613e312 |
+-----------------+---------------------------------------------------+
1 row in set (0.01 sec)

mysql> CREATE USER 'percona'@'localhost' IDENTIFIED WITH auth_socket;
ERROR 1524 (HY000): Plugin 'auth_socket' is not loaded

Bummer. Inona no tsy ampy? Plugin tsy tafiditra:

mysql> pager grep socket
PAGER set to 'grep socket'
mysql> show plugins;
47 rows in set (0.00 sec)

Andeha isika hanampy plugin amin'ny dingana:

mysql> nopager
PAGER set to stdout
mysql> INSTALL PLUGIN auth_socket SONAME 'auth_socket.so';
Query OK, 0 rows affected (0.00 sec)

mysql> pager grep socket; show plugins;
PAGER set to 'grep socket'
| auth_socket                     | ACTIVE | AUTHENTICATION | auth_socket.so | GPL     |
48 rows in set (0.00 sec)

Ankehitriny dia manana izay rehetra ilainay izahay. Andeha indray isika:

mysql> CREATE USER 'percona'@'localhost' IDENTIFIED WITH auth_socket;
Query OK, 0 rows affected (0.01 sec)
mysql> GRANT ALL PRIVILEGES ON *.* TO 'percona'@'localhost';
Query OK, 0 rows affected (0.01 sec)

Afaka miditra amin'ny fampiasana ny solonanarana "percona" ianao izao.

[percona@ip-192-168-1-111 ~]$ whoami
percona
[percona@ip-192-168-1-111 ~]$ mysql -upercona
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 19
Server version: 8.0.16-7 Percona Server (GPL), Release 7, Revision 613e312

Copyright (c) 2009-2019 Percona LLC and/or its affiliates
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> select user, host, plugin, authentication_string from mysql.user where user ='percona';
+---------+-----------+-------------+-----------------------+
| user    | host   | plugin   | authentication_string |
+---------+-----------+-------------+-----------------------+
| percona | localhost | auth_socket |                       |
+---------+-----------+-------------+-----------------------+
1 row in set (0.00 sec)

Ary nahomby indray izany!

Fanontaniana: azo atao ve ny miditra amin'ny rafitra amin'ny fidirana percona mitovy, fa amin'ny maha mpampiasa hafa?

[percona@ip-192-168-1-111 ~]$ logout
[root@ip-192-168-1-111 ~]# mysql -upercona
ERROR 1698 (28000): Access denied for user 'percona'@'localhost'

Tsia, tsy mety izany.

famaranana

Ny MySQL dia tena malefaka amin'ny lafiny maro, ny iray amin'izany dia ny fomba fanamarinana. Araka ny hitanao amin'ity lahatsoratra ity, ny fidirana dia azo alaina tsy misy tenimiafina, mifototra amin'ny mpampiasa OS. Mety ilaina amin'ny toe-javatra sasany izany, ary ny iray amin'izy ireo dia rehefa mifindra avy amin'ny RDS/Aurora mankany amin'ny MySQL mahazatra mampiasa Authentication database IAMmbola mahazo fidirana, fa tsy misy tenimiafina.

Source: www.habr.com

Add a comment