Require all MySQL accounts to have a password. A client program does not necessarily know the identity of the person running it. 要求所有MySQL帐户都有密码。客户端程序不一定知道运行它的人的身份。It is common for client/server applications that the user can specify any user name to the client program. 对于客户端/服务器应用程序来说，用户可以向客户端程序指定任何用户名是很常见的。For example, anyone can use the mysql program to connect as any other person simply by invoking it as mysql -u other_user db_name if other_user has no password. If all accounts have a password, connecting using another user's account becomes much more difficult.例如，如果other_user没有密码，任何人都可以使用mysql程序以任何其他人的身份连接，只需将其以mysql-u other_user db_name的形式调用即可。如果所有帐户都有密码，则使用其他用户的帐户进行连接会变得更加困难。

For a discussion of methods for setting passwords, see Section 6.2.14, “Assigning Account Passwords”.有关设置密码的方法的讨论，请参阅第6.2.14节，“分配帐户密码”。

Make sure that the only Unix user account with read or write privileges in the database directories is the account that is used for running mysqld.确保数据库目录中唯一具有读写权限的Unix用户帐户是用于运行mysqld的帐户。

Never run the MySQL server as the Unix root user. 永远不要以Unix root用户身份运行MySQL服务器。This is extremely dangerous, because any user with the FILE privilege is able to cause the server to create files as root (for example, ~root/.bashrc). 这是极其危险的，因为任何具有FILE权限的用户都可以使服务器以root身份创建文件（例如，~root/.bashrc）。To prevent this, mysqld refuses to run as root unless that is specified explicitly using the --user=root option.为了防止这种情况，mysqld拒绝以root身份运行，除非使用--user=root选项明确指定。

mysqld can (and should) be run as an ordinary, unprivileged user instead. You can create a separate Unix account named mysql to make everything even more secure. mysqld可以（也应该）作为普通的、无特权的用户运行。您可以创建一个名为mysql的单独Unix帐户，使一切更加安全。Use this account only for administering MySQL. To start mysqld as a different Unix user, add a user option that specifies the user name in the [mysqld] group of the my.cnf option file where you specify server options. For example:此帐户仅用于管理MySQL。要以其他Unix用户身份启动mysqld，请在指定服务器选项的my.cnf选项文件的[mysqld]组中添加一个用户选项，指定用户名。例如：

[mysqld]
user=mysql

This causes the server to start as the designated user whether you start it manually or by using mysqld_safe or mysql.server. 这会导致服务器以指定用户身份启动，无论您是手动启动还是使用mysqld_safe或mysql.server启动。For more details, see Section 6.1.5, “How to Run MySQL as a Normal User”.有关更多详细信息，请参阅第6.1.5节，“如何以普通用户身份运行MySQL”。

Running mysqld as a Unix user other than root does not mean that you need to change the root user name in the user table. 以root以外的Unix用户运行mysqld并不意味着您需要更改user表中的root用户名。User names for MySQL accounts have nothing to do with user names for Unix accounts.MySQL帐户的用户名与Unix帐户的用户名无关。

Do not grant the FILE privilege to nonadministrative users. 不要将FILE权限授予非管理员用户。Any user that has this privilege can write a file anywhere in the file system with the privileges of the mysqld daemon. 任何具有此权限的用户都可以使用mysqld守护进程的权限在文件系统中的任何位置写入文件。This includes the server's data directory containing the files that implement the privilege tables. 这包括服务器的数据目录，其中包含实现特权表的文件。To make FILE-privilege operations a bit safer, files generated with SELECT ... INTO OUTFILE do not overwrite existing files and are writable by everyone.为了使FILE权限操作更安全，使用SELECT ... INTO OUTFILE生成的文件不会覆盖现有文件，所有人都可以写入。

The FILE privilege may also be used to read any file that is world-readable or accessible to the Unix user that the server runs as. FILE权限还可用于读取服务器运行时Unix用户可以读取或访问的任何文件。With this privilege, you can read any file into a database table. 有了这个特权，您可以将任何文件读取到数据库表中。This could be abused, for example, by using LOAD DATA to load /etc/passwd into a table, which then can be displayed with SELECT.这可能会被滥用，例如，通过使用LOAD DATA将/etc/passwd加载到表中，然后可以用SELECT显示。

To limit the location in which files can be read and written, set the secure_file_priv system to a specific directory. See Section 5.1.8, “Server System Variables”.要限制文件的读写位置，请将secure_file_priv系统设置为特定目录。请参阅第5.1.8节，“服务器系统变量”。

Encrypt binary log files and relay log files. Encryption helps to protect these files and the potentially sensitive data contained in them from being misused by outside attackers, and also from unauthorized viewing by users of the operating system where they are stored. 加密二进制日志文件和中继日志文件。加密有助于保护这些文件及其包含的潜在敏感数据免受外部攻击者的滥用，也有助于防止存储这些文件的操作系统用户未经授权地查看这些文件。You enable encryption on a MySQL server by setting the binlog_encryption system variable to ON. 通过将binlog_encryption系统变量设置为ON，可以在MySQL服务器上启用加密。For more information, see Section 17.3.2, “Encrypting Binary Log Files and Relay Log Files”.有关更多信息，请参阅第17.3.2节，“加密二进制日志文件和中继日志文件”。

Do not grant the PROCESS or SUPER privilege to nonadministrative users. 不要将PROCESS或SUPER权限授予非管理员用户。The output of mysqladmin processlist and SHOW PROCESSLIST shows the text of any statements currently being executed, so any user who is permitted to see the server process list might be able to see statements issued by other users.mysqladmin进程列表和SHOW PROCESSIST的输出显示了当前正在执行的任何语句的文本，因此任何被允许查看服务器进程列表的用户都可以看到其他用户发出的语句。

mysqld reserves an extra connection for users who have the CONNECTION_ADMIN or SUPER privilege, so that a MySQL root user can log in and check server activity even if all normal connections are in use.mysqld为具有CONNECTION_ADMIN或SUPER权限的用户保留了一个额外的连接，这样即使所有正常连接都在使用中，MySQL root用户也可以登录并检查服务器活动。

The SUPER privilege can be used to terminate client connections, change server operation by changing the value of system variables, and control replication servers.SUPER权限可用于终止客户端连接，通过更改系统变量的值来更改服务器操作，以及控制复一致性务器。

Do not permit the use of symlinks to tables. (This capability can be disabled with the --skip-symbolic-links option.) 不允许使用表的符号链接。（可以使用--skip-symbolic-links选项禁用此功能。）This is especially important if you run mysqld as root, because anyone that has write access to the server's data directory then could delete any file in the system! 如果你以root身份运行mysqld，这一点尤为重要，因为任何对服务器数据目录有写访问权限的人都可以删除系统中的任何文件！See Section 8.12.2.2, “Using Symbolic Links for MyISAM Tables on Unix”.请参阅第8.12.2.2节，“在Unix上使用MyISAM表的符号链接”。

Stored programs and views should be written using the security guidelines discussed in Section 25.6, “Stored Object Access Control”.应使用第25.6节，“存储对象访问控制”中讨论的安全准则编写存储程序和视图。

If you do not trust your DNS, you should use IP addresses rather than host names in the grant tables. In any case, you should be very careful about creating grant table entries using host name values that contain wildcards.如果你不信任你的DNS，你应该在授权表中使用IP地址而不是主机名。在任何情况下，使用包含通配符的主机名值创建授权表条目时都应该非常小心。

If you want to restrict the number of connections permitted to a single account, you can do so by setting the max_user_connections variable in mysqld. 如果你想限制单个帐户允许的连接数量，可以通过在mysqld中设置max_user_connections变量来实现。The CREATE USER and ALTER USER statements also support resource control options for limiting the extent of server use permitted to an account. CREATE USER和ALTER USER语句还支持资源控制选项，用于限制允许帐户使用服务器的范围。See Section 13.7.1.3, “CREATE USER Statement”, and Section 13.7.1.1, “ALTER USER Statement”.请参阅第13.7.1.3节，“CREATE USER语句”和第13.7.1.1节，“ALTER USER语句”。

If the plugin directory is writable by the server, it may be possible for a user to write executable code to a file in the directory using SELECT ... INTO DUMPFILE. 如果插件目录可由服务器写入，则用户可以使用SELECT ... INTO DUMPFILE将可执行代码写入目录中的文件。This can be prevented by making plugin_dir read only to the server or by setting secure_file_priv to a directory where SELECT writes can be made safely.这可以通过使plugin_dir对服务器只读或将secure_file_priv设置为可以安全进行SELECT写入的目录来防止。