mysqlaccess

开启mysql的远程连接的方法 mysql-noinstall-5.1.6-alpha-win32.zip

#!/usr/bin/perl
# ****************************
package MySQLaccess;
#use strict;
use File::Temp qw(tempfile tmpnam);
use Fcntl;

BEGIN {
	# ****************************
	# static information...
	$VERSION     = "2.06, 20 Dec 2000";
	$0           =~ m%/([^/]+)$%o;
	$script      = $1;
        $script      = 'MySQLAccess' unless $script;
	$script_conf = "$script.conf";
	$script_log  = $ENV{'HOME'}."/$script.log";

	# ****************************
	# information on MySQL
	$MYSQL     = '/usr/local/bin/mysql';    # path to mysql executable
	$SERVER    = '3.21';
	$MYSQL_OPT = ' --batch --unbuffered';
	$ACCESS_DB = 'mysql';		 # name of DB with grant-tables
	$ACCESS_H  = 'host';		 # 
	$ACCESS_U  = 'user';	         # 
	$ACCESS_D  = 'db';               #
	# Add/Edit privileges
	$ACCESS_H_TMP = 'host_tmp';      
	$ACCESS_U_TMP = 'user_tmp';      
	$ACCESS_D_TMP = 'db_tmp';        
	$ACCESS_H_BCK = 'host_backup';   
	$ACCESS_U_BCK = 'user_backup';   
	$ACCESS_D_BCK = 'db_backup';     
        $DIFF      = '/usr/bin/diff'; 
        $MYSQLDUMP = '/usr/local/bin/mysqldump';
                                         #path to mysqldump executable

        $MYSQLADMIN= 'http://foobar.com/MySQLadmin';
                                         #URL of CGI for manipulating
                                         #the temporary grant-tables
}

END {
	unlink $MYSQL_CNF if defined $MYSQL_CNF and not $DEBUG;
}

$INFO = <<"_INFO";
--------------------------------------------------------------------------
   mysqlaccess (Version $VERSION)
   ~~~~~~~~~~~
   Copyright (C) 1997,1998 Yves.Carlier\@rug.ac.be
                           University of Ghent (RUG), Belgium
                           Administratieve Informatieverwerking (AIV)

   report the access-privileges for a USER from a HOST to a DB

   Many thanks go to <monty\@mysql.com> and <psmith\@BayNetworks.COM>
   for their suggestions, debugging and patches. 

   use `$script -?' to get more information on available options.

   From version 2.0x, $script can also be used through a WEB-browser
   if it is ran as a CGI-script.  (See the release-notes)

--------------------------------------------------------------------------
_INFO

$OPTIONS = <<_OPTIONS;

Usage: $script [host [user [db]]] OPTIONS

  -?, --help           display this helpscreen and exit
  -v, --version        print information on the program `$script'

  -u, --user=#         username for logging in to the db
  -p, --password=#     validate password for user
  -h, --host=#         name or IP-number of the host
  -d, --db=#           name of the database

  -U, --superuser=#    connect as superuser
  -P, --spassword=#    password for superuser
  -H, --rhost=#        remote MySQL-server to connect to
      --old_server     connect to old MySQL-server (before v3.21) which 
                       does not yet know how to handle full where clauses.

  -b, --brief          single-line tabular report
  -t, --table          report in table-format

  --relnotes           print release-notes
  --plan               print suggestions/ideas for future releases
  --howto              some examples of how to run `$script'
  --debug=N            enter debuglevel N (0..3)

  --copy               reload temporary grant-tables from original ones
  --preview            show differences in privileges after making
                       changes in (temporary) grant-tables
  --commit             copy grant-rules from temporary tables to grant-tables
                       (!don't forget to do an mysqladmin reload)
  --rollback           undo the last changes to the grant-tables.

  Note:
    + At least the user and the db must be given (even with wildcards)
    + If no host is given, `localhost' is assumed
    + Wilcards (*,?,%,_) are allowed for host, user and db, but be sure 
      to escape them from your shell!! (ie type \\* or '*')
_OPTIONS

$RELEASE = <<'_RELEASE';
 
Release Notes:
-------------
  0.1-beta1: internal
  - first trial.
 
  0.1-beta2: (1997-02-27)
  - complete rewrite of the granting-rules, based on the documentation
    found in de FAQ.
  - IP-number and name for a host are equiv.
 
  0.1-beta3: (1997-03-10)
  - more information
  - 'localhost' and the name/ip of the local machine are now equiv.

  0.1-beta4: (1997-03-11)
  - inform the user if he has not enough priv. to read the mysql db

  1.0-beta1: (1997-03-12)
  suggestions by Monty:
  - connect as superuser with superpassword.
  - mysqlaccess could also notice if all tables are empty. This means
    that all user have full access!
  - It would be nice if one could optionally start mysqlaccess without
    any options just the arguments 'user db' or 'host user db', where
    host is 'localhost' if one uses only two arguments.

  1.0-beta2: (1997-03-14)
  - bugfix: translation to reg.expr of \_ and \%.
  - bugfix: error in matching regular expression and string given
            by user which resulted in
            'test_123' being matched with 'test'

  1.0-beta3: (1997-03-14)
  - bugfix: the user-field should not be treated as a sql-regexpr,
            but as a plain string.
  - bugfix: the host-table should not be used if the host isn't empty in db
                                          or  if the host isn't emty in user
            (Monty)
 
  1.0-beta4: (1997-03-14)
  - bugfix: in an expression "$i = $j or $k", the '=' binds tighter than the or
            which results in problems...
            (by Monty)
  - running mysqlaccess with "perl -w" gives less warnings...   ;-)

  1.0-beta5: (1997-04-04)
  - bugfix: The table sorting was only being applied to the "user" table; all
            the tables need to be sorted.  Rewrote the sort algorithm, and
            the table walk algorithm (no temp file anymore), and various
            other cleanups.  I believe the access calculation is 100% correct.
            (by Paul D. Smith <psmith\@baynetworks.com>)
  - Allow the debug level to be set on the cmd line with --debug=N.
            (by Paul D. Smith <psmith\@baynetworks.com>)
  - More -w cleanups; should be totally -w-clean.
            (by Paul D. Smith <psmith\@baynetworks.com>)
 
  1.1-beta1: (1997-04-xx) 
  1.1-beta2: (1997-04-11)
  - new options:
             --all_users : report access-rights for all possible users
             --all_dbs   : report access-rights for all possible dbs
             --all_hosts : report access-rights for all possible hosts
             --brief     : as brief as possible, don't mention notes,warnings and rules
             --password  : validate password for user 
  - layout: long messages are wrapped on the report.
  - functionality:
            more descriptive notes and warnings
            wildcards (*,?) are allowed in the user,host and db options
            setting xxxx=* is equiv to using option --all_xxxx
            note: make sure you escape your wildcards, so they don't get
                  interpreted by the shell.  use \* or '*'
  - bugfix: Fieldnames which should be skipped on the output can now have
            a first capital letter.
  - bugfix: any option with a '.' (eg ip-number) was interpreted as
            a wildcard-expression.
  - bugfix: When no entry was found in the db-table, the default accessrights are
            N, instead of the faulty Y in a previous version.
 
  1.1-beta-3  : (1997-04-xx)
  1.1-beta-4  : (1997-04-xx)
  1.1-beta-5  : (1997-04-xx)
  1.1         : (1997-04-28)
  - new options:
            --rhost     : name of mysql-server to connect to
            --plan      : print suggestions/ideas for future releases
            --relnotes  : display release-notes
            --howto     : display examples on how to use mysqlaccess
            --brief     : single-line tabular output
  - functionality/bugfix:
    *      removed options --all_users,--all_dbs,--all_hosts, which 
           were redundant with the wildcard-expressions for the corresponding
           options. They made the processing of the commandline too painful 
           and confusing ;-)
           (suggested by psmith)
    *      redefined the option --brief, which now gives a single-line 
           tabular output
    *      Now we check if the right version of the mysql-client is used,
           since we might use an option not yet implemented in an
           older version (--unbuffered, since 3.0.18)
           Also the error-messages the mysql-client reports are 
           better interpreted ;-)  
    *      Wildcards can now be given following the SQL-expression 
           (%,_) and the Regular-expression (*,?) syntax.
  - speed: we now open a bidirectional pipe to the mysql-client, and keep 
           it open throughout the whole run. Queries are written to,
           and the answers read from the pipe.
           (suggested by monty)
  - bugfixes:
    *      the Rules were not properly reset over iterations 
    *      when in different tables the field-names were not identical, 
           eg. Select_priv and select_priv, they were considered as 
           definitions of 2 different access-rights.
    *      the IP-number of a host with a name containing wildcards should
           not be searched for in Name2IP and IP2Name.
    *      various other small things, pointed out by <monty> and <psmith>

  1.2         : (1997-05-13)
  - bugfix:
    * Fixed bug in acl with anonymous user:  Now if one gets accepted by the
      user table as a empty user name, the user name is set to '' when 
      checking against the 'db' and 'host' tables. (Bug fixed in MySQL3.20.19)

  1.2-1       : (1997-xx-xx)
  - bugfix:
    * hashes should  be initialized with () instead of {} <psmith>
    * "my" variable $name masks earlier declaration in same scope,
      using perl 5.004 <????>

  1.2-2       : (1997-06-10)
    
  2.0p1-3     : (1997-10-xx)
  - new
    * packages
    * log-file for debug-output : /tmp/mysqlaccess.log
    * default values are read from a configuration file $script.conf
      first this file is looked for in the current directory; if not
      found it is looked for in /etc/
      Note that when default-values are given, these can't get overriden
      by empty (blanc) values!
    * CGI-BIN version with HTML and forms interface.  Simply place the
      script in an ScriptAliased directory, make the configuration file
      available in the that directory or in /etc, and point your browser
      to the right URL. 
    * copy the grant-rules to temporary tables, where you are safe to
      play with them.
    * preview changes in privileges after changing grant-rules,
      before taking them into production
    * copy the new grant-rules from the temporary tables back to the
      grant-tables.
    * Undo all changes made in the grant-tables (1-level undo).
  -new options:
    * --table   : as opposite of the --brief option.
    * --copy    : (re)load temporary grant-tables from original ones.
    * --preview : preview changes in privileges after changing
                  some or more entries in the grant-tables.
    * --commit  : copy grant-rules from temporary tables to grant-tables
                  (!don't forget to do an mysqladmin reload)
    * --rollback: undo the last changes to the grant-tables.

  - bugfix:
    * if the table db is empty, mysqlaccess freezed 
      (by X Zhu <X.Zhu@Bradford.ac.uk>)

  2.0         : (1997-10-09)
  - fixed some "-w" warnings.
  - complain when certain programs and paths can't be found.

  2.01        : (1997-12-12)
  - bugfix:
    * rules for db-table where not calculated and reported correctly.
  2.02        : (1998-01-xx)
  - bugfix:
    * Privileges of the user-table were not AND-ed properly with the
      other privileges. (reported by monty)
  - new option:
    * --old_server: mysqlaccess will now use a full where clause when
                    retrieving information from the MySQL-server.  If
                    you are connecting to an old server (before v3.21)
                    then use the option --old_server.
  2.03         : (1998-02-27)
  - bugfix:
    * in Host::MatchTemplate: incorrect match if host-field was left empty.

  2.04-alpha1  : (2000-02-11)
  Closes vulnerability due to former implementation requiring passwords
  to be passed on the command line.
  - functionality
    Option values for --password -p -spassword -P  may now be omitted from
    command line, in which case the values will be prompted for.
      (fix supplied by Steve Harvey <sgh@vex.net>)

   2.05: (2000-02-17)   Monty
   Moved the log file from /tmp to ~

   2.06:  Don't print '+++USING FULL WHERE CLAUSE+++'

_RELEASE

$TODO = <<_TODO;

 Plans:
 -----
  -a full where clause is use now.  How can we handle older servers?
  -add some more functionality for DNS.
  -select the warnings more carefuly.
  >>  I think that the warnings should either be enhanced to _really_
  >>  understand and report real problems accurately, or restricted to
  >>  only printing things that it knows with 100% certainty. <psmith)
  >>  Why do I have both '%' and 'any_other_host' in there?  Isn't that
  >>  the same thing?  I think it's because I have an actual host '%' in
  >>  one of my tables.  Probably the script should catch that and not
  >>  duplicate output. <psmith>

_TODO

# From the FAQ: the Grant-algorithm
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# The host table is mainly to maintain a list of "secure" servers.
# At TCX hosts contain a list of all machines on local network. These are granted
# all privileges.
# Technically the user grant is calculated by:
#
#    1.First sort all entries by host by putting host without wildcards first,
#      after this host with wildcards and entries with host = ".
#      Under each host sort user by the same criterias.
#    2.Get grant for user from the "db" table.
#    3.If hostname is "empty" for the found entry, AND the privileges with
#      the privileges for the host in "host" table.
#      (Remove all which is not "Y" in both)
#    4.OR (add) the privileges for the user from the "user" table.
#     (add all privileges which is "Y" in "user")
#
#    When matching, use the first found match.
#
# -----------------------------------------------------------------------------------

$HOWTO = <<_HOWTO;

Examples of how to call $script:
~~~~~~~~
1)Calling $script with 2 arguments:

  \$ $script root mysql
     ->report rights of user root logged on at the local host in db mysql

  Access-rights
  for USER 'root', from HOST 'localhost', to DB 'mysql'
          +-----------------+---+ +-----------------+---+
          | select_priv     | Y | | drop_priv       | Y |
          | insert_priv     | Y | | reload_priv     | Y |
          | update_priv     | Y | | shutdown_priv   | Y |
          | delete_priv     | Y | | process_priv    | Y |
          | create_priv     | Y | | file_priv       | Y |
          +-----------------+---+ +-----------------+---+
  BEWARE:  Everybody can access your DB as user 'root'
        :  WITHOUT supplying a password.  Be very careful about it!!

  The following rules are used:
   db    : 'No matching rule'
   host  : 'Not processed: host-field is not empty in db-table.'
   user  : 'localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y'

2)Calling $script with 3 arguments:

  \$ $script foo.bar nobody Foo 
     ->report rights of user root logged in at machine foobar to db Foo