[問題] phpMyAdmin 登入安全性問題

文章由 **owenliu** » 2005-02-01 10:52

phpMyAdmin 登入安全性問題，
新架了一個 Appserv 2.4.1 的論壇，看了小竹子大大phpMyAdmin的教學文章
已經將登入方式由 config 改成http
用我自己建的帳號login也已經 ok

我已經將root , 任何(%)的權限都拿掉了，但是在登入畫面時，只輸入root
密碼都不敲，還是進的去phpMyAdmin，這樣改了那麼多東西，不就白費了。

安全性方面還是開了一個大洞。

請問各位大大，這個問題要怎麼解決，還是我的設定有哪邊沒做好的嗎

先謝過各位大大，看我這個菜鳥問的笨問題.....

文章由 **小竹子** » 2005-02-01 10:53

建立新的管理者確定沒問題，就把 root 那個帳戶移除掉。

文章由 **owenliu** » 2005-02-01 18:51

感謝小竹子大大提供解法.....

另外，提供一些我的心得...
在移除root 及 '@'%' 的時候，請大家使用刪除使用者及重新讀取權限

不然，你的安全性還是會有問題。我之前選擇只從權限資料庫刪除使用者.

結果發現登入時只敲root ( no password) 還是可以登入phpMyAdmin,
因此提供一下完整的SQL Statement, 讓大家參考一下，不用像我用重新安裝的笨方法

代碼: 選擇全部

SQL 語法: 
# 刪除 ''@'%' ...
[color=blue]DELETE FROM `user` WHERE `User` = '' AND `Host` = '%';

DELETE FROM `db` WHERE `User` = '' AND `Host` = '%';

DELETE FROM `tables_priv` WHERE `User` = '' AND `Host` = '%';

DELETE FROM `columns_priv` WHERE `User` = '' AND `Host` = '%';[/color]

# 刪除 ''@'localhost' ...
[color=blue]DELETE FROM `user` WHERE `User` = '' AND `Host` = 'localhost';
\n
DELETE FROM `db` WHERE `User` = '' AND `Host` = 'localhost';

DELETE FROM `tables_priv` WHERE `User` = '' AND `Host` = 'localhost';

DELETE FROM `columns_priv` WHERE `User` = '' AND `Host` = 'localhost';[/color]

# 刪除 'root'@'%' ...
[color=blue]DELETE FROM `user` WHERE `User` = 'root' AND `Host` = '%';

DELETE FROM `db` WHERE `User` = 'root' AND `Host` = '%';

DELETE FROM `tables_priv` WHERE `User` = 'root' AND `Host` = '%';

DELETE FROM `columns_priv` WHERE `User` = 'root' AND `Host` = '%';[/color]

# 刪除 'root'@'localhost' ...
[color=blue]DELETE FROM `user` WHERE `User` = 'root' AND `Host` = 'localhost';

DELETE FROM `db` WHERE `User` = 'root' AND `Host` = 'localhost';

DELETE FROM `tables_priv` WHERE `User` = 'root' AND `Host` = 'localhost';

DELETE FROM `columns_priv` WHERE `User` = 'root' AND `Host` = 'localhost';[/color]\r

# 重新讀取權限 ...
[color=blue]FLUSH PRIVILEGES ;[/color]

文章由 **Jone** » 2005-04-15 23:23

owenliu 寫:感謝小竹子大大提供解法.....

另外，提供一些我的心得...
在移除root 及 '@'%' 的時候，請大家使用刪除使用者及重新讀取權限

不然，你的安全性還是會有問題。我之前選擇只從權限資料庫刪除使用者.

結果發現登入時只敲root ( no password) 還是可以登入phpMyAdmin,
因此提供一下完整的SQL Statement, 讓大家參考一下，不用像我用重新安裝的笨方法

代碼: 選擇全部

SQL 語法: 
# 刪除 ''@'%' ...
[color=blue]DELETE FROM `user` WHERE `User` = '' AND `Host` = '%';

DELETE FROM `db` WHERE `User` = '' AND `Host` = '%';

DELETE FROM `tables_priv` WHERE `User` = '' AND `Host` = '%';

DELETE FROM `columns_priv` WHERE `User` = '' AND `Host` = '%';[/color]

# 刪除 ''@'localhost' ...
[color=blue]DELETE FROM `user` WHERE `User` = '' AND `Host` = 'localhost';

DELETE FROM `db` WHERE `User` = '' AND `Host` = 'localhost';

DELETE FROM `tables_priv` WHERE `User` = '' AND `Host` = 'localhost';

DELETE FROM `columns_priv` WHERE `User` = '' AND `Host` = 'localhost';[/color]

# 刪除 'root'@'%' ...
[color=blue]DELETE FROM `user` WHERE `User` = 'root' AND `Host` = '%';

DELETE FROM `db` WHERE `User` = 'root' AND `Host` = '%';

DELETE FROM `tables_priv` WHERE `User` = 'root' AND `Host` = '%';

DELETE FROM `columns_priv` WHERE `User` = 'root' AND `Host` = '%';[/color]

# 刪除 'root'@'localhost' ...
[color=blue]DELETE FROM `user` WHERE `User` = 'root' AND `Host` = 'localhost';

DELETE FROM `db` WHERE `User` = 'root' AND `Host` = 'localhost';

DELETE FROM `tables_priv` WHERE `User` = 'root' AND `Host` = 'localhost';

DELETE FROM `columns_priv` WHERE `User` = 'root' AND `Host` = 'localhost';[/color]

# 重新讀取權限 ...
[color=blue]FLUSH PRIVILEGES ;[/color]

為什麼我登入沒有問題常常登出打一樣的密碼都不對 = =?

這是什麼原因呢?