首页 > 其他分享 >使用show effective grants查看权限

使用show effective grants查看权限

时间:2023-07-26 09:44:52浏览次数:49  
标签:effective show grantee GreatSQL grants sec user 权限 localhost

1、问题描述

用户 show grants 显示只有连接权限,但该用户却能执行 sbtest.*下的所有操作

GreatSQL> \s
...
Server version:  8.0.32-24 GreatSQL, Release 24, Revision 3714067bc8c
...
GreatSQL> show grants;
+---------------------------------------+
| Grants for user1@172.%                |
+---------------------------------------+
| GRANT USAGE ON *.* TO `user1`@`172.%` |
+---------------------------------------+
1 row in set (0.00 sec)

GreatSQL> select * from sbtest.sbtest1 limit 1;
+----+-----+-------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------+
| id | k   | c                                                                                                                       | pad                                                         |
+----+-----+-------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------+
|  1 | 250 | 50739423477-59896895752-91121550334-25071371310-03454727381-25307272676-12883025003-48844794346-97662793974-67443907837 | 10824941535-62754685647-36430831520-45812593797-70371571680 |
+----+-----+-------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------+
1 row in set (0.00 sec)

2、官方文档

MySQL 官方手册,有这样一段话

https://dev.mysql.com/doc/refman/8.0/en/show-grants.html
SHOW GRANTS does not display privileges that are available to the named account but are granted to a different account. For example, if an anonymous account exists, the named account might be able to use its privileges, but SHOW GRANTS does not display them.

Percona Server 官方手册,有类似一段话

https://docs.percona.com/percona-server/8.0/management/extended_show_grants.html
In Oracle MySQL SHOW GRANTS displays only the privileges granted explicitly to the named account. Other privileges might be available to the account, but they are not displayed. For example, if an anonymous account exists, the named account might be able to use its privileges, but SHOW GRANTS will not display them. Percona Server for MySQL offers the SHOW EFFECTIVE GRANTS command to display all the effectively available privileges to the account, including those granted to a different account.

概括如下:

  • 用户 A 的 user 与用户 B 的 user 相同,或者用户 A 是匿名用户
  • 用户 B 的 host 范围是用户 A 的 host 范围的子集

满足上述两个条件,此时用户 B 拥有显式授予给用户 A 的权限,但 SHOW GRANTS 不会显示这部分权限。在 Percona Server 可以通过 SHOW EFFECTIVE GRANTS 查看。

3、测试验证

3.1、同 user 用户

1)、创建用户并授权

# 创建用户
GreatSQL> CREATE USER grantee@localhost IDENTIFIED BY 'grantee1';
Query OK, 0 rows affected (0.05 sec)

GreatSQL> CREATE USER grantee@'%' IDENTIFIED BY 'grantee2';
Query OK, 0 rows affected (0.01 sec)

# 创建数据库
GreatSQL> CREATE DATABASE IF NOT EXISTS sbtest;
Query OK, 1 row affected, 1 warning (0.00 sec)

GreatSQL> CREATE DATABASE IF NOT EXISTS sbtest1;
Query OK, 1 row affected (0.05 sec)

# 授权
GreatSQL> GRANT ALL PRIVILEGES ON sbtest.* TO grantee@'%';
Query OK, 0 rows affected (0.02 sec)

2)、查看权限

GreatSQL> show grants for grantee@localhost;
+---------------------------------------------+
| Grants for grantee@localhost                |
+---------------------------------------------+
| GRANT USAGE ON *.* TO `grantee`@`localhost` |
+---------------------------------------------+
1 row in set (0.01 sec)

权限列表没有显示 grantee@localhost 对 sbtest 库的权限,但实际 grantee@localhost 已经拥有 sbtest 库下所有操作权限

3)、grantee@localhost 登录,执行操作

GreatSQL> show grants;
+---------------------------------------------+
| Grants for grantee@localhost                |
+---------------------------------------------+
| GRANT USAGE ON *.* TO `grantee`@`localhost` |
+---------------------------------------------+
1 row in set (0.00 sec)

GreatSQL> create table sbtest.t1(id int primary key);
Query OK, 0 rows affected (0.04 sec)

GreatSQL> insert into sbtest.t1 select 1;
Query OK, 1 row affected (0.01 sec)
Records: 1  Duplicates: 0  Warnings: 0

4)、使用 SHOW EFFECTIVE GRANTS 查看权限

GreatSQL> show effective grants;
+-------------------------------------------------------------+
| Effective grants for grantee@localhost                      |
+-------------------------------------------------------------+
| GRANT USAGE ON *.* TO `grantee`@`localhost`                 |
| GRANT ALL PRIVILEGES ON `sbtest`.* TO `grantee`@`localhost` |
+-------------------------------------------------------------+
2 rows in set (0.01 sec)

SHOW EFFECTIVE GRANTS****显示出拥有的同 user 用户权限

3.2、匿名用户

匿名用户请参考:https://dev.mysql.com/doc/refman/8.0/en/connection-access.html

1)、创建匿名用户并授权

# 未指定host,默认为%
GreatSQL> CREATE USER '';
Query OK, 0 rows affected (0.04 sec)

GreatSQL> GRANT ALL ON sbtest1.* TO '';
Query OK, 0 rows affected (0.02 sec)

2)、查看权限

GreatSQL> show grants for grantee@localhost;
+---------------------------------------------+
| Grants for grantee@localhost                |
+---------------------------------------------+
| GRANT USAGE ON *.* TO `grantee`@`localhost` |
+---------------------------------------------+
1 row in set (0.01 sec)

权限列表没有显示 grantee@localhost 对 sbtest1 库的权限,但实际 grantee@localhost 已经拥有 sbtest1 库下所有操作权限

3)、grantee@localhost 登录,执行操作

GreatSQL> select user(), current_user();
+-------------------+-------------------+
| user()            | current_user()    |
+-------------------+-------------------+
| grantee@localhost | grantee@localhost |
+-------------------+-------------------+
1 row in set (0.00 sec)

GreatSQL> show grants;
+---------------------------------------------+
| Grants for grantee@localhost                |
+---------------------------------------------+
| GRANT USAGE ON *.* TO `grantee`@`localhost` |
+---------------------------------------------+
1 row in set (0.00 sec)

GreatSQL> create table sbtest1.t2(id int primary key);
Query OK, 0 rows affected (0.03 sec)

GreatSQL> insert into sbtest1.t2 select 2;
Query OK, 1 row affected (0.01 sec)
Records: 1  Duplicates: 0  Warnings: 0

4)、使用 SHOW EFFECTIVE GRANTS 查看权限

GreatSQL> show effective grants;
+-------------------------------------------------------------+
| Effective grants for grantee@localhost                      |
+-------------------------------------------------------------+
| GRANT USAGE ON *.* TO `grantee`@`localhost`                 |
| GRANT ALL PRIVILEGES ON `sbtest`.* TO `grantee`@`localhost` |
+-------------------------------------------------------------+
2 rows in set (0.01 sec)

注意:****SHOW EFFECTIVE GRANTS没有显示出拥有的匿名用户权限,sbtest.*是拥有的同 user 用户权限

4、建议

1)、使用 SHOW EFFECTIVE GRANTS 代替 SHOW GRANTS(GreatDB、GreatSQL、Percona Server)

GreatSQL> show effective grants for user1@`172.%`;
+-------------------------------------------------------+
| Effective grants for user1@172.%                      |
+-------------------------------------------------------+
| GRANT USAGE ON *.* TO `user1`@`172.%`                 |
| GRANT ALL PRIVILEGES ON `sbtest`.* TO `user1`@`172.%` |
+-------------------------------------------------------+
2 rows in set (0.00 sec)

2)、账号加固

  • 匿名用户,禁止匿名用户登录
GreatSQL> select user, host from mysql.user where user='';
+------+------+
| user | host |
+------+------+
|      | %    |
+------+------+
1 row in set (0.02 sec)
  • 同 user 不同 host
GreatSQL> select u.user, u.host, p.user priv_user, p.host priv_host from (
    -> select user, host from mysql.db
    -> union
    -> select user, host from mysql.tables_priv
    -> union
    -> select user, host from mysql.columns_priv) p
    -> left join mysql.user u on p.user=u.user 
    -> where p.host<>u.host;
+---------+-----------+-----------+-----------+
| user    | host      | priv_user | priv_host |
+---------+-----------+-----------+-----------+
| user1   | 172.%     | user1     | %         |
| grantee | localhost | grantee   | %         |
+---------+-----------+-----------+-----------+
2 rows in set (0.01 sec)

到各权限表查看对应user信息,核实权限'错乱'的原因

GreatSQL> select * from mysql.user where user='user1'\G
*************************** 1. row ***************************
                    Host: 172.%
                    User: user1
             Select_priv: N
             ...
1 row in set (0.05 sec)

GreatSQL> select * from mysql.db where user='user1'\G
*************************** 1. row ***************************
                 Host: %
                   Db: sbtest
                 User: user1
          Select_priv: Y
          ...
1 row in set (0.01 sec)

user 表只有 user1@'172.%',db 表只有 user1@'%',对应算两个用户。

可能是手动更新过权限表:例如创建用户xx@'%',授权db.*所有权限,后来更新mysql.user表中的记录为xx@'172.%'限制登录来源。

根据精确匹配原则,user1可以从172.%主机连接数据库,全局权限为N(mysql.user),db权限匹配上user1@'%',拥有sbtest库的所有操作权限。


Enjoy GreatSQL

标签:effective,show,grantee,GreatSQL,grants,sec,user,权限,localhost
From: https://www.cnblogs.com/greatsql/p/17581628.html

相关文章

  • CTFshow—武穆遗书
    武穆遗书将exe文件放入exeinfo查看该执行文件被加了upx壳使用upx命令成功脱壳先初步运行该执行文件,发现需要用户输入,随意输入之后发现显示失败,因此判断该题的类型为当用户输入满足一定条件时会显示flag或者此时用户的输入就是flag使用ida打开该执行文件进行初步的静态分析,......
  • showmount
    showmount显示NFS服务器加载的信息补充说明showmount命令查询“mountd”守护进程,以显示NFS服务器加载的信息。语法showmount(选项)(参数)选项-d:仅显示已被NFS客户端加载的目录;-e:显示NFS服务器上所有的共享目录。参数NFS服务器:指定NFS服务器的ip地址或者主机名。......
  • Matplotlib库中,plt.figure()、plt.imshow()、plt.axis()和plt.show()、gca、savefig、
    在Matplotlib库中,plt.figure()、plt.imshow()、plt.axis()和plt.show()是用于绘制和显示图像的常用方法。下面是对每个方法的含义的解释:plt.figure():plt.figure()用于创建一个新的图形对象(Figure),它是绘图的最顶层容器。可以使用该对象进行图形的设置和操作,例如设置图形的大小......
  • cpuset.cpus.effective: no such file or directory (修改 docker cgroup 版本的方法)
    要切换使用v1版cgroup,需要做如下配置: vim/etc/default/grub   GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=0" update-grubreboot  完美解决 ......
  • pip show 显示模块插件包安装路径、信息
    显示某个模块(包、插件)安装路径、版本信息pipshowFlask或pip3showFlask效果:参考:https://www.zhihu.com/question/603263580?utm_id=0......
  • UE5 Set Show Mouse Cursor进入游戏显示鼠标
    前言默认情况下进入游戏不点击情况下,鼠标是默认不显示的。为了显示鼠标,可以调用SetShowMouseCursor节点操作默认情况下如果勾选ContextSensitive(情景关联),是无法搜索到相关函数,必须去掉勾选,如下......
  • ctfshow 菜狗杯--You and me
    1、下载题目附件    进行解压 解压后发现两张图片,两张一样的图片,但是命名不同,我们可以想到这是一道盲水印题目。 2、解题步骤这道题目需要用到python分离盲水印的脚本,推荐大家去GitHub上去下载源码源码地址:https://github.com/chishaxie/BlindWaterMark#blindwa......
  • git show 显示 commit 提交说明信息
    一、只显示某个commit的内容示例:1.有多次提交记录。2.只显示8dd428这个commit的loggitshow8dd4283.加上--name-only参数,只显示文件名,不显示对比差异信息gitshow--name-only8dd4284.加上--data设置日期显示方式。--date更详细用法-->git--d......
  • Effective Diversity in Population-Based Reinforcement Learning
    发表时间:2020(NeurIPS2020)文章要点:这篇文章提出了DiversityviaDeterminants(DvD)算法来提升种群里的多样性。之前的方法通常都考虑的两两之间的距离,然后设计一些指标或者加权来增加种群多样性,这种方式容易出现cycling,也就是类似石头剪刀布的循环克制的关系,造成训练不上去,......
  • 《Effective C++ 改善程序与设计的55个具体做法》读书笔记
    1.让自己习惯C++条款01视C++为一个语言联邦CObject-OrientedC++TemplateC++STLC++高效编程守则视情况而变化,取决于你使用C++的哪一部分。条款02尽量与const,enum,inline替换#define对于单纯常量,最好以const对象或enums替换#defines。对于形似函数的宏(macros),最好改......