数据库中File权限的危害
The FILE privilege gives you permission to read and write files on the server host using the LOAD DATA INFILE and SELECT ... INTO OUTFILE statements and the LOAD_FILE() function. A user who has the FILE privilege can read any file on the server host that is either world-readable or readable by the MySQL server. (This implies the user can read any file in any database directory, because the server can access any of those files.) The FILE privilege also enables the user to create new files in any directory where the MySQL server has write access. As a security measure, the server will not overwrite existing files.
FILE权限可访问文件系统中的文件,file权限授予不当可能造成安全隐患.
一个具有FILE权限的用户执行以下语句就可查看服务器上全体可读的文件:
mysql> CREATE TABLE etc_passwd(pwd_entry TEXT);
mysql> LOAD DATA INFILE '/etc/passwd' INTO TABLE etc_passwd;
mysql> SELECT * FROM etc_passwd;
passwd这个文件本身对所有用户是可读的.
但是如果MySQL服务器数据目录上的访问权限设置得不好,就会留下让具有FILE权限的用户进入别人数据库的安全漏洞。所以建议把数据目录设置成只能由MySQL服务器读取。
下面演示一个利用具有FILE权限的用户读取数据目录中文件权限设置不严密的数据库数据的过程:
mysql> use test;
mysql> create table temp(b longblob);
mysql> show databases #显示数据库名清单,--skip-show-database可禁止该功能
mysql> load data infile './db/xxx.frm' into table temp fields escaped by '' lines terminated by '';
mysql> select * from temp into outfile 'xxx.frm' fields escaped by '' lines terminated by '';
mysql> delete from temp;
mysql> load data infile './db/xxx.MYD' into table temp fields escaped by '' lines terminated by '';
mysql> select * from temp into outfile 'xxx.MYD' fields escaped by '' lines terminated by '';
mysql> delete from temp;
mysql> load data infile './db/xxx.MYI' into table temp fields escaped by '' lines terminated by '';
mysql> select * from temp into outfile 'xxx.MYI' fields escaped by '' lines terminated by '';
mysql> delete from temp;
这样,你的数据库就给人拷贝到本地了.如果是myisam的表,那么只需要3个文件: frm myd myi,随便找一台mysql服务器就可以把表打开了.里面的数据暴露无疑.
更危险的是,如果你用root启动mysql,那么整个操作系统上的文件对具有file权限的mysql用户来说都不是秘密.所以file权限是非常危险的,能不用尽量别用它.
