The following mysqld options affect security:
Table 5.5 Security Option/Variable Summary
|Name||Cmd-Line||Option File||System Var||Status Var||Var Scope||Dynamic|
|- Variable: safe_show_database||Yes||Global||Yes|
|- Variable: secure_auth||Yes||Global||Yes|
|- Variable: skip_name_resolve|
|- Variable: skip_networking||Yes||Global||No|
|- Variable: skip_show_database||Yes||Global||No|
This option controls whether user-defined functions that have
xxx symbol for the main function
can be loaded. By default, the option is turned off and only
UDFs that have at least one auxiliary symbol can be loaded;
this prevents attempts at loading functions from shared object
files other than those containing legitimate UDFs. This option
was added in MySQL 4.0.24 and 4.1.10a. See
Section 220.127.116.11, “User-Defined Function Security Precautions”.
If you start the server with
LOAD DATA statements. See
Section 5.4.5, “Security Issues with LOAD DATA LOCAL”.
Force the server to generate short (pre-4.1) password hashes for new passwords. This is useful for compatibility when the server must support older client programs. See Section 18.104.22.168, “Password Hashing in MySQL”.
If this option is enabled, a user cannot create new MySQL
users by using the
statement unless the user has the
INSERT privilege for the
mysql.user table. If you want a user to
have the ability to create new users that have those
privileges that the user has the right to grant, you should
grant the user the following privilege:
GRANT INSERT(user) ON mysql.user TO '
This ensures that the user cannot change any privilege columns
directly, but has to use the
GRANT statement to give
privileges to other users.
Disallow authentication for accounts that have old (pre-4.1) passwords. This option is available as of MySQL 4.1.1.
This option causes the server not to use the privilege system
at all. This gives anyone with access to the server
unrestricted access to all
databases. You can cause a running server to start
using the grant tables again by executing mysqladmin
flush-privileges or mysqladmin
reload command from a system shell, or by issuing a
PRIVILEGES statement. This option also suppresses
loading of user-defined functions (UDFs).
Host names are not resolved. All
column values in the grant tables must be IP addresses or
Do not permit TCP/IP connections over the network. All connections to mysqld must be made using Unix socket files. This option is unsuitable when using a MySQL version prior to 3.23.27 with the MIT-pthreads package, because Unix socket files were not supported by MIT-pthreads at that time.
With this option, the
DATABASES statement is permitted only to users who
privilege, and the statement displays all database names.
Without this option,
DATABASES is permitted to all users, but displays
each database name only if the user has the
SHOW DATABASES privilege or
some privilege for the database. Note that any global
privilege is a privilege for the database.