Chapter 10. Security

Keeping MySQL secure is critical to maintaining the integrity and privacy of your data. Just as you have to protect Unix or Windows login accounts, you need to ensure that MySQL accounts have good passwords and only the privileges they need. Because MySQL is often used on a network, you also need to consider the security of the host that runs MySQL, who has access to it, and what someone could learn by sniffing traffic on your network.

In this chapter we’ll look at how MySQL’s permissions work and how you can keep control of who has access to the data. We’ll also consider some of the basic operating system and network security measures you can employ to keep the bad guys out of your databases. Finally, we’ll discuss encryption and running MySQL in a highly restricted environment.

Account Basics

Consider first the example of a typical Unix login. You have a username and a password, along with, possibly, some other information such as the login owner’s full name, telephone number, or other information. There is no distinction between the user dredd coming from foo.example.com and dredd coming from bar.example.com. To Unix, they are one and the same.

Each account in MySQL is composed of a username, password, and location (usually hostname, IP address, or wildcard). As we’ll see, having a location associated with the username adds a bit of complexity to an otherwise simple system. The user joe who logs in from joe.example.com may or may not be the same as the joe ...

Get High Performance MySQL now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.