ProHoster > blog > Utawala > Jinsi ya kutumia MySQL Bila Nenosiri (na Hatari za Usalama)

Jinsi ya kutumia MySQL Bila Nenosiri (na Hatari za Usalama)

Jinsi ya kutumia MySQL Bila Nenosiri (na Hatari za Usalama)

Wanasema kwamba nenosiri bora zaidi ni lile ambalo huna budi kukumbuka. Kwa upande wa MySQL hii inawezekana shukrani kwa programu-jalizi auth_tundu na toleo lake la MariaDB - soketi_ya_unix.

Programu-jalizi hizi zote mbili sio mpya hata kidogo; mengi yamesemwa juu yao katika blogi hii, kwa mfano katika nakala kuhusu jinsi ya kubadilisha nywila katika MySQL 5.7 kwa kutumia programu-jalizi ya auth_socket. Walakini, nikitafuta nini kipya katika MariaDB 10.4, niligundua kuwa unix_socket sasa imewekwa kwa chaguo-msingi na ni mojawapo ya njia za uthibitishaji ("moja ya", kwa sababu katika MariaDB 10.4 zaidi ya programu-jalizi moja inapatikana kwa mtumiaji mmoja kwa uthibitishaji, ambayo imeelezwa katika hati "Uthibitishaji" kutoka kwa MariaDB 10.04).

Kama nilivyosema, hii si habari, na unaposakinisha MySQL kwa kutumia vifurushi vya .deb vinavyoungwa mkono na timu ya Debian, mtumiaji wa mizizi huundwa kwa ajili ya uthibitishaji wa soketi. Hii ni kweli kwa MySQL na MariaDB.

root@app:~# apt-cache show mysql-server-5.7 | grep -i maintainers
Original-Maintainer: Debian MySQL Maintainers <[email protected]>
Original-Maintainer: Debian MySQL Maintainers <<a href="mailto:[email protected]">[email protected]</a>>

Na vifurushi vya Debian kwa MySQL, mtumiaji wa mizizi amethibitishwa kama ifuatavyo:

root@app:~# whoami
root=
root@app:~# mysql
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 4
Server version: 5.7.27-0ubuntu0.16.04.1 (Ubuntu)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> select user, host, plugin, authentication_string from mysql.user where user = 'root';
+------+-----------+-------------+-----------------------+
| user | host      | plugin | authentication_string |
+------+-----------+-------------+-----------------------+
| root | localhost | auth_socket |                       |
+------+-----------+-------------+-----------------------+
1 row in set (0.01 sec)

Ndivyo ilivyo kwa kifurushi cha .deb cha MariaDB:

10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04

MariaDB [(none)]> show grants;
+------------------------------------------------------------------------------------------------+
| Grants for root@localhost                                                                      |
+------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION |
| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION                                  |
+------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

Vifurushi vya .deb kutoka hazina rasmi ya Percona pia husanidi uthibitishaji wa mtumiaji wa mizizi chini ya auth-socket na kwa Seva ya Percona. Hebu tutoe mfano na Seva ya Percona ya MySQL 8.0.16-7 na Ubuntu 16.04:

root@app:~# whoami
root
root@app:~# mysql
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 9
Server version: 8.0.16-7 Percona Server (GPL), Release '7', Revision '613e312'

Copyright (c) 2009-2019 Percona LLC and/or its affiliates
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> select user, host, plugin, authentication_string from mysql.user where user ='root';
+------+-----------+-------------+-----------------------+
| user | host      | plugin | authentication_string |
+------+-----------+-------------+-----------------------+
| root | localhost | auth_socket |                       |
+------+-----------+-------------+-----------------------+
1 row in set (0.00 sec)

Kwa hivyo ni uchawi gani? Programu-jalizi hukagua kuwa mtumiaji wa Linux analingana na mtumiaji wa MySQL kwa kutumia chaguo la tundu la SO_PEERCRED kukusanya taarifa kuhusu mtumiaji anayeendesha programu ya mteja. Kwa hivyo, programu-jalizi inaweza kutumika tu kwenye mifumo inayotumia chaguo la SO_PEERCRED, kama vile Linux. Chaguo la tundu la SO_PEERCRED hukuruhusu kujua uid ya mchakato unaohusishwa na tundu. Na kisha tayari anapokea jina la mtumiaji linalohusishwa na uid hii.

Hapa kuna mfano na mtumiaji "vagrant":

vagrant@mysql1:~$ whoami
vagrant
vagrant@mysql1:~$ mysql
ERROR 1698 (28000): Access denied for user 'vagrant'@'localhost'

Kwa kuwa hakuna mtumiaji "mzururaji" katika MySQL, tunanyimwa ufikiaji. Hebu tuunde mtumiaji kama huyo na tujaribu tena:

MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'vagrant'@'localhost' IDENTIFIED VIA unix_socket;
Query OK, 0 rows affected (0.00 sec)

vagrant@mysql1:~$ mysql
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 45
Server version: 10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

MariaDB [(none)]> show grants;
+---------------------------------------------------------------------------------+
| Grants for vagrant@localhost                                                    |
+---------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'vagrant'@'localhost' IDENTIFIED VIA unix_socket |
+---------------------------------------------------------------------------------+
1 row in set (0.00 sec)

Imetokea!

Vipi kuhusu usambazaji usio wa Debian ambapo hii haijatolewa na chaguo-msingi? Wacha tujaribu Percona Server ya MySQL 8 iliyosanikishwa kwenye CentOS 7:

mysql> show variables like '%version%comment';
+-----------------+---------------------------------------------------+
| Variable_name   | Value                                   |
+-----------------+---------------------------------------------------+
| version_comment | Percona Server (GPL), Release 7, Revision 613e312 |
+-----------------+---------------------------------------------------+
1 row in set (0.01 sec)

mysql> CREATE USER 'percona'@'localhost' IDENTIFIED WITH auth_socket;
ERROR 1524 (HY000): Plugin 'auth_socket' is not loaded

Bummer. Nini kilikosekana? Programu-jalizi haijapakiwa:

mysql> pager grep socket
PAGER set to 'grep socket'
mysql> show plugins;
47 rows in set (0.00 sec)

Wacha tuongeze programu-jalizi kwenye mchakato:

mysql> nopager
PAGER set to stdout
mysql> INSTALL PLUGIN auth_socket SONAME 'auth_socket.so';
Query OK, 0 rows affected (0.00 sec)

mysql> pager grep socket; show plugins;
PAGER set to 'grep socket'
| auth_socket                     | ACTIVE | AUTHENTICATION | auth_socket.so | GPL     |
48 rows in set (0.00 sec)

Sasa tuna kila kitu tunachohitaji. Hebu tujaribu tena:

mysql> CREATE USER 'percona'@'localhost' IDENTIFIED WITH auth_socket;
Query OK, 0 rows affected (0.01 sec)
mysql> GRANT ALL PRIVILEGES ON *.* TO 'percona'@'localhost';
Query OK, 0 rows affected (0.01 sec)

Sasa unaweza kuingia kwa kutumia jina la mtumiaji "percona".

[percona@ip-192-168-1-111 ~]$ whoami
percona
[percona@ip-192-168-1-111 ~]$ mysql -upercona
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 19
Server version: 8.0.16-7 Percona Server (GPL), Release 7, Revision 613e312

Copyright (c) 2009-2019 Percona LLC and/or its affiliates
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> select user, host, plugin, authentication_string from mysql.user where user ='percona';
+---------+-----------+-------------+-----------------------+
| user    | host   | plugin   | authentication_string |
+---------+-----------+-------------+-----------------------+
| percona | localhost | auth_socket |                       |
+---------+-----------+-------------+-----------------------+
1 row in set (0.00 sec)

Na ilifanya kazi tena!

Swali: itawezekana kuingia kwenye mfumo chini ya kuingia sawa kwa percona, lakini kama mtumiaji tofauti?

[percona@ip-192-168-1-111 ~]$ logout
[root@ip-192-168-1-111 ~]# mysql -upercona
ERROR 1698 (28000): Access denied for user 'percona'@'localhost'

Hapana, haitafanya kazi.

Pato

MySQL ni rahisi kubadilika katika nyanja kadhaa, moja ambayo ni njia ya uthibitishaji. Kama unavyoona kutoka kwa chapisho hili, ufikiaji unaweza kupatikana bila manenosiri, kulingana na watumiaji wa OS. Hii inaweza kuwa muhimu katika hali fulani, na mojawapo ni wakati wa kuhama kutoka RDS/Aurora hadi MySQL ya kawaida kwa kutumia. Uthibitishaji wa hifadhidata ya IAMbado kupata ufikiaji, lakini bila nywila.

Chanzo: mapenzi.com

Kuongeza maoni