[MySQL] 存储过程、函数、触发器和视图的权限检查_MySQL
bitsCN.com
[MySQL] 存储过程、函数、触发器和视图的权限检查
当存储过程、函数、触发器和视图创建后,不单单创建者要执行,其它用户也可能需要执行,换句话说,执行者有可能不是创建者本身,那么在执行存储过程时,MySQL是如何做权限检查的?
在默认情况下,MySQL将检查创建者的权限。假设用户A创建了存储过程p()访问表T,并把execute的权限赋给了B,即使用户B没有访问表T的权限,也能够通过执行存储过程p()访问表T。
下面看一个例子:
首先,我们创建一个表test.t和两个用户a,b,并把权限赋予用户a
[sql] root@(none) 05:39:45>create table portal.t as select * from mysql.user; Query OK, 25 rows affected (0.16 sec) Records: 25 Duplicates: 0 Warnings: 0 root@(none) 05:39:55>create user a identified by 'a'; Query OK, 0 rows affected (0.02 sec) root@(none) 05:40:51>create user b identified by 'b'; Query OK, 0 rows affected (0.00 sec) root@(none) 05:40:59>grant all privileges on portal.* to a; Query OK, 0 rows affected (0.01 sec)
接着,以用户a创建存储过程p():
[sql] DELIMITER $$ USE portal$$ CREATE PROCEDURE `p`() BEGIN SELECT COUNT(*) FROM portal.t; END$$ DELIMITER ;
并把执行该存储过程的权限赋给用户b:
[sql] root@(none) 05:54:28>grant execute on procedure portal.p to b; Query OK, 0 rows affected (0.00 sec)
这时候,已用户b连接后通过执行存储过程可以获得t表的访问权限:
[sql] b@(none) 05:58:20>call portal.p(); +----------+ | COUNT(*) | +----------+ | 25 | +----------+ 1 row in set (0.00 sec) Query OK, 0 rows affected (0.00 sec)
但如果直接访问将出现权限错误:
[sql] b@(none) 05:58:40>select count(*) from portal.t; ERROR 1142 (42000): SELECT command denied to user 'b'@'192.168.1.15' for table 't'
MySQL这样的设置有一定的道理,但同时也带来了安全隐患:比如如果一个用户通过创建一个存储过程来访问敏感数据,则可以调用该存储过程的所有用户都能访问敏感数据。
如果你不想使用MySQL的默认设置,可以在定义存储程序和视图时在create语句里使用definer = account字句指定定义者,这样在执行存储程序和视图时,将检查definer的权限,而不是创建者的权限。
举个例子,当你用root 创建一个存储过程时,在默认情况下,在执行该存储过程时,执行者将获得root的权限,但当你加上definer = A后,执行者只能获得A的权限。
但是definer还是没能完全解决上面提到的安全隐患,别急,MySQL还提供了SQL SECURITY选项来控制权限,它有两个取值:
1)DEFINER:以定义者的权限执行(默认)
2)INVOKER:以调用者的权限执行
如果你不想在存储程序或试图在执行时的权限多于调用者,就设置SQL SECURITY INVOKER即可。
例如,下面的试图将访问mysql.user,并设置了SQL SECURITY INVOKER选项,这样如果调用者没有访问mysql.user的权限,则无法通过权限检查。
[sql] create sql security invoker view v as select * from mysql.user;
注意:因为触发器和事件是由系统调用的,没有调用者的概念,所以它们没有SQL SECURITY选项。
bitsCN.com
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1666
14
1426
52
1328
25
1273
29
1255
24
How to use Xiaohongshu account to find users? Can I find my mobile phone number?
Mar 22, 2024 am 08:40 AM
With the rapid development of social media, Xiaohongshu has become one of the most popular social platforms. Users can create a Xiaohongshu account to show their personal identity and communicate and interact with other users. If you need to find a user’s Xiaohongshu number, you can follow these simple steps. 1. How to use Xiaohongshu account to find users? 1. Open the Xiaohongshu APP, click the "Discover" button in the lower right corner, and then select the "Notes" option. 2. In the note list, find the note posted by the user you want to find. Click to enter the note details page. 3. On the note details page, click the "Follow" button below the user's avatar to enter the user's personal homepage. 4. In the upper right corner of the user's personal homepage, click the three-dot button and select "Personal Information"
Local users and groups are missing on Windows 11: How to add it
Sep 22, 2023 am 08:41 AM
The Local Users and Groups utility is built into Computer Management and can be accessed from the console or independently. However, some users find that local users and groups are missing in Windows 11. For some people who have access to it, the message suggests that this snap-in may not work with this version of Windows 10. To manage user accounts for this computer, use the User Accounts tool in Control Panel. The issue has been reported in previous iterations of Windows 10 and is usually caused by issues or oversights on the user's side. Why are local users and groups missing in Windows 11? You are running Windows Home edition, local users and groups are available on Professional edition and above. Activity
Log in to Ubuntu as superuser
Mar 20, 2024 am 10:55 AM
In Ubuntu systems, the root user is usually disabled. To activate the root user, you can use the passwd command to set a password and then use the su- command to log in as root. The root user is a user with unrestricted system administrative rights. He has permissions to access and modify files, user management, software installation and removal, and system configuration changes. There are obvious differences between the root user and ordinary users. The root user has the highest authority and broader control rights in the system. The root user can execute important system commands and edit system files, which ordinary users cannot do. In this guide, I'll explore the Ubuntu root user, how to log in as root, and how it differs from a normal user. Notice
Explore Windows 11 guide: How to access user folders on your old hard drive
Sep 27, 2023 am 10:17 AM
Certain folders are not always accessible due to permissions, and in today’s guide we will show you how to access user folders on your old hard drive on Windows 11. The process is simple but can take a while, sometimes even hours, depending on the size of the drive, so be extra patient and follow the instructions in this guide closely. Why can't I access my user folders on my old hard drive? User folders are owned by another computer, so you cannot modify them. You don't have any permissions on the folder other than ownership. How to open user files on old hard drive? 1. Take ownership of the folder and change permissions Find the old user directory, right-click on it and select Properties. Navigate to "An
Tutorial: How to delete a normal user account in Ubuntu system?
Jan 02, 2024 pm 12:34 PM
Many users have been added to the Ubuntu system. I want to delete the users that are no longer in use. How to delete them? Let’s take a look at the detailed tutorial below. 1. Open the terminal command line and use the userdel command to delete the specified user. Be sure to add the sudo permission command, as shown in the figure below. 2. When deleting, be sure to be in the administrator directory. Ordinary users do not have this permission. , as shown in the figure below 3. After the delete command is executed, how to judge whether it has been truly deleted? Next we use the cat command to open the passwd file, as shown in the figure below 4. We see that the deleted user information is no longer in the passwd file, which proves that the user has been deleted, as shown in the figure below 5. Then we enter the home file
Windows 11 KB5031455 fails to install, causing other issues for some users
Nov 01, 2023 am 08:17 AM
Microsoft began rolling out KB2 to the public as an optional update for Windows 503145511H22 or later. This is the first update to enable Windows 11 Moment 4 features by default, including Windows Copilot in supported areas, preview support for items in the Start menu, ungrouping of the taskbar, and more. Additionally, it fixes several Windows 11 bugs, including potential performance issues that caused memory leaks. But ironically, the optional update for September 2023 will be a disaster for users trying to install the update, or even for those who have already installed it. Many users will not install this Wi
What is sudo and why is it important?
Feb 21, 2024 pm 07:01 PM
sudo (superuser execution) is a key command in Linux and Unix systems that allows ordinary users to run specific commands with root privileges. The function of sudo is mainly reflected in the following aspects: Providing permission control: sudo achieves strict control over system resources and sensitive operations by authorizing users to temporarily obtain superuser permissions. Ordinary users can only obtain temporary privileges through sudo when needed, and do not need to log in as superuser all the time. Improved security: By using sudo, you can avoid using the root account during routine operations. Using the root account for all operations may lead to unexpected system damage, as any mistaken or careless operation will have full permissions. and
Oracle Database: Can one user have multiple tablespaces?
Mar 03, 2024 am 09:24 AM
Oracle database is a commonly used relational database management system, and many users will encounter problems with the use of table spaces. In Oracle database, a user can have multiple table spaces, which can better manage data storage and organization. This article will explore how a user can have multiple table spaces in an Oracle database and provide specific code examples. In Oracle database, table space is a logical structure used to store objects such as tables, indexes, and views. Every database has at least one tablespace,
