Mysql：--secure-auth、--secure-file-priv

• secure_auth

  Property	Value
  Command-Line Format	--secure-auth[={OFF|ON}]
  Deprecated	Yes
  System Variable	secure_auth
  Scope	Global
  Dynamic	Yes
  Type	Boolean
  Default Value	ON
  Valid Values	ON

  If this variable is enabled, the server blocks connections by clients that attempt to use accounts that have passwords stored in the old (pre-4.1) format. Enable this variable to prevent all use of passwords employing the old format (and hence insecure communication over the network).

  This variable is deprecated and will be removed in a future MySQL release. It is always enabled and attempting to disable it produces an error.

  Server startup fails with an error if this variable is enabled and the privilege tables are in pre-4.1 format. See Section 6.4.1.3, “Migrating Away from Pre-4.1 Password Hashing and the mysql_old_password Plugin”.

  Note

  Passwords that use the pre-4.1 hashing method are less secure than passwords that use the native password hashing method and should be avoided. Pre-4.1 passwords are deprecated and support for them is removed in MySQL 5.7.5. For account upgrade instructions, see Section 6.4.1.3, “Migrating Away from Pre-4.1 Password Hashing and the mysql_old_password Plugin”.

• secure_file_priv

  Property	Value
  Command-Line Format	--secure-file-priv=dir_name
  System Variable	secure_file_priv
  Scope	Global
  Dynamic	No
  Type	String
  Default Value	platform specific
  Valid Values	empty string dirname NULL

  This variable is used to limit the effect of data import and export operations, such as those performed by the LOAD DATA and SELECT ... INTO OUTFILE statements and the LOAD_FILE() function. These operations are permitted only to users who have the FILE privilege.

  secure_file_priv may be set as follows:

  • If empty, the variable has no effect. This is not a secure setting.

  • If set to the name of a directory, the server limits import and export operations to work only with files in that directory. The directory must exist; the server will not create it.

  • If set to NULL, the server disables import and export operations.

  The default value is platform specific and depends on the value of the INSTALL_LAYOUT CMake option, as shown in the following table. To specify the default secure_file_priv value explicitly if you are building from source, use the INSTALL_SECURE_FILE_PRIVDIR CMake option.

  INSTALL_LAYOUT Value	Default secure_file_priv Value
  STANDALONE, WIN	NULL (>= MySQL 5.7.16), empty (< MySQL 5.7.16)
  DEB, RPM, SLES, SVR4	/var/lib/mysql-files
  Otherwise	mysql-files under the CMAKE_INSTALL_PREFIX value

  To set the default secure_file_priv value for the libmysqld embedded server, use the INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR CMake option. The default value for this option is NULL.

  The server checks the value of secure_file_priv at startup and writes a warning to the error log if the value is insecure. A non-NULL value is considered insecure if it is empty, or the value is the data directory or a subdirectory of it, or a directory that is accessible by all users. If secure_file_priv is set to a nonexistent path, the server writes an error message to the error log and exits.