diff options
author | Sergey Poznyakoff <gray@gnu.org.ua> | 2010-01-06 13:25:39 +0200 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2010-01-06 13:25:39 +0200 |
commit | 1a0f319a747220e48bde4fae8b80c0b00d22e69c (patch) | |
tree | 5912bfb14ac3d26b29eff947ded1eefa008e80be | |
parent | fa78a9f21ff4fd85fb568232c9bee957b9c83497 (diff) | |
download | wydawca-1a0f319a747220e48bde4fae8b80c0b00d22e69c.tar.gz wydawca-1a0f319a747220e48bde4fae8b80c0b00d22e69c.tar.bz2 |
Improve SQL configuration.
* src/config.c (sql_kw): New statements: config-file and
config-group.
* src/sql.c (sql_init_dictionary): Handle config-file and
config-group. Set CLIENT_MULTI_RESULTS option.
* src/sql.h (struct sqlconn): New members: config_file and
config_group.
* NEWS, doc/wydawca.texi: Update.
-rw-r--r-- | NEWS | 20 | ||||
-rw-r--r-- | doc/wydawca.texi | 73 | ||||
-rw-r--r-- | src/config.c | 5 | ||||
-rw-r--r-- | src/sql.c | 10 | ||||
-rw-r--r-- | src/sql.h | 2 |
5 files changed, 106 insertions, 4 deletions
@@ -1,7 +1,7 @@ | |||
1 | Wydawca NEWS -- history of user-visible changes. 2010-01-02 | 1 | Wydawca NEWS -- history of user-visible changes. 2010-01-06 |
2 | Copyright (C) 2007, 2008, 2009, 2010 Sergey Poznyakoff | 2 | Copyright (C) 2007, 2008, 2009, 2010 Sergey Poznyakoff |
3 | See the end of file for copying conditions. | 3 | See the end of file for copying conditions. |
4 | 4 | ||
5 | Please send Wydawca bug reports to <bug-wydawca@gnu.org.ua>. | 5 | Please send Wydawca bug reports to <bug-wydawca@gnu.org.ua>. |
6 | 6 | ||
7 | 7 | ||
@@ -33,12 +33,30 @@ To update your configuration, use the following (extended) sed expression: | |||
33 | * Distribution verification. | 33 | * Distribution verification. |
34 | 34 | ||
35 | The new keyword `check-script' defines a shell script to | 35 | The new keyword `check-script' defines a shell script to |
36 | verify the submitted tarball. See the documentation, section | 36 | verify the submitted tarball. See the documentation, section |
37 | 4.12 "Distribution Verification", for details. | 37 | 4.12 "Distribution Verification", for details. |
38 | 38 | ||
39 | * New configuration statements | ||
40 | |||
41 | sql default { | ||
42 | config-file "file"; | ||
43 | config-group "grp"; | ||
44 | } | ||
45 | |||
46 | The `config-file' statement specifies the SQL configuration file | ||
47 | to use. The `config-group' statement indicates the group in that | ||
48 | file to read. The defaults for both statements depend on the | ||
49 | underlying database implementation. Currently only MySQL is supported, | ||
50 | so the defaults are "/etc/my.cnf" for "file", and "client" for | ||
51 | "group". | ||
52 | |||
53 | These options can be used to store security-sensitive information | ||
54 | in another file, and thus to relax permission requirements for | ||
55 | wydawca.rc. | ||
56 | |||
39 | * New meta-variables | 57 | * New meta-variables |
40 | 58 | ||
41 | email:admin Full email address of the systems administrator. | 59 | email:admin Full email address of the systems administrator. |
42 | email:owner Full email address of the project administrator. | 60 | email:owner Full email address of the project administrator. |
43 | email:user Full email address of the user who did the upload. | 61 | email:user Full email address of the user who did the upload. |
44 | 62 | ||
diff --git a/doc/wydawca.texi b/doc/wydawca.texi index ab18e47..7e69831 100644 --- a/doc/wydawca.texi +++ b/doc/wydawca.texi | |||
@@ -1186,27 +1186,75 @@ releases). | |||
1186 | A database is defined using @code{sql} block statement: | 1186 | A database is defined using @code{sql} block statement: |
1187 | 1187 | ||
1188 | @deffn {Config} sql @var{id} @{ ... @} | 1188 | @deffn {Config} sql @var{id} @{ ... @} |
1189 | @smallexample | 1189 | @smallexample |
1190 | @group | 1190 | @group |
1191 | sql @var{id} @{ | 1191 | sql @var{id} @{ |
1192 | config-file @var{file}; | ||
1193 | config-group @var{group}; | ||
1192 | host @var{hostname}; | 1194 | host @var{hostname}; |
1193 | database @var{dbname}; | 1195 | database @var{dbname}; |
1194 | user @var{username}; | 1196 | user @var{username}; |
1195 | password @var{string}; | 1197 | password @var{string}; |
1196 | ssl-ca @var{string}; | 1198 | ssl-ca @var{string}; |
1197 | @} | 1199 | @} |
1198 | @end group | 1200 | @end group |
1199 | @end smallexample | 1201 | @end smallexample |
1200 | 1202 | ||
1201 | Here, @var{id} is a string uniquely identifying this | 1203 | Here, @var{id} is a string uniquely identifying this |
1202 | database. It is used by another configuration statements (e.g. by | 1204 | database. It is used by other configuration statements (e.g. by |
1203 | dictionaries, see the next section) to refer to this | 1205 | dictionaries, see the next section) to refer to this |
1204 | database. | 1206 | database. |
1205 | @end deffn | 1207 | @end deffn |
1206 | 1208 | ||
1209 | @deffn {Config: sql} config-file @var{name} | ||
1210 | Set the name of the @acronym{SQL} configuration file to read. | ||
1211 | @end deffn | ||
1212 | |||
1213 | @deffn {Config: sql} config-group @var{name} | ||
1214 | Set the name of the group in the @acronym{SQL} configuration file, | ||
1215 | from where to read configuration options. | ||
1216 | @end deffn | ||
1217 | |||
1218 | The statements above allow to keep all security-sensitive | ||
1219 | information, such as @acronym{SQL} username and password, in an | ||
1220 | external configuration file and thus to relax permission requirements | ||
1221 | for @file{wydawca.rc}. The exact format of such external configuration | ||
1222 | file depends on the flavor of @acronym{SQL} @acronym{DBMS} in use. | ||
1223 | As of version @value{VERSION} @command{wydawca} supports only | ||
1224 | @samp{MySQL}, so the configuration file is what is called @dfn{option | ||
1225 | file} in @samp{MySQL} parlance (@pxref{option-files, Using Option | ||
1226 | Files,,mysql,MySQL Manual}). | ||
1227 | |||
1228 | For example, suppose your @file{wydawca.rc} contains the following: | ||
1229 | |||
1230 | @smallexample | ||
1231 | sql default @{ | ||
1232 | config-file /etc/wydawca.mysql; | ||
1233 | config-group wydawca; | ||
1234 | @} | ||
1235 | @end smallexample | ||
1236 | |||
1237 | @noindent | ||
1238 | Then, the @file{/etc/wydawca.mysql} would contain the actual | ||
1239 | parameters for accessing the database, e.g.: | ||
1240 | |||
1241 | @smallexample | ||
1242 | [wydawca] | ||
1243 | socket = /var/db/mysql.sock | ||
1244 | database = savane | ||
1245 | user = savane | ||
1246 | pass = guessme | ||
1247 | @end smallexample | ||
1248 | |||
1249 | Another way to specify database credentials is by using the | ||
1250 | statements described below. If you prefer this way, you will have to | ||
1251 | tighten the permissions of @file{wydawca.rc} so that no third person | ||
1252 | could see the @acronym{SQL} password. The recommended permissions are | ||
1253 | @samp{0600}. | ||
1254 | |||
1207 | @deffn {Config: sql} host @var{hostname}[:@var{port-or-socket}] | 1255 | @deffn {Config: sql} host @var{hostname}[:@var{port-or-socket}] |
1208 | Set the hostname or @acronym{IP} address of the host running the | 1256 | Set the hostname or @acronym{IP} address of the host running the |
1209 | database. Optional @var{port-or-socket} specifies port number (for | 1257 | database. Optional @var{port-or-socket} specifies port number (for |
1210 | @acronym{TCP} connections) or socket name (for @acronym{UNIX} sockets) | 1258 | @acronym{TCP} connections) or socket name (for @acronym{UNIX} sockets) |
1211 | to use. In the latter case, the @var{hostname} and the colon may be | 1259 | to use. In the latter case, the @var{hostname} and the colon may be |
1212 | omitted. If, however, it is present, it must be @samp{localhost}. | 1260 | omitted. If, however, it is present, it must be @samp{localhost}. |
@@ -1240,12 +1288,28 @@ sql default @{ | |||
1240 | user root; | 1288 | user root; |
1241 | password guessme; | 1289 | password guessme; |
1242 | @} | 1290 | @} |
1243 | @end group | 1291 | @end group |
1244 | @end smallexample | 1292 | @end smallexample |
1245 | 1293 | ||
1294 | It is possible to combine both methods, e.g.: | ||
1295 | |||
1296 | @smallexample | ||
1297 | @group | ||
1298 | sql default @{ | ||
1299 | config-file /etc/wydawca.sql; | ||
1300 | host project.database.com:3306; | ||
1301 | database savane; | ||
1302 | @} | ||
1303 | @end group | ||
1304 | @end smallexample | ||
1305 | |||
1306 | Then, @command{wydawca} will attempt to obtain the missing | ||
1307 | information (username and password, in this case) from the | ||
1308 | @file{/etc/wydawca.sql} file. | ||
1309 | |||
1246 | @node dictionaries | 1310 | @node dictionaries |
1247 | @section Dictionaries | 1311 | @section Dictionaries |
1248 | @cindex dictionaries | 1312 | @cindex dictionaries |
1249 | @cindex @acronym{PGP} key | 1313 | @cindex @acronym{PGP} key |
1250 | A @dfn{dictionary} defines the ways to retrieve user information | 1314 | A @dfn{dictionary} defines the ways to retrieve user information |
1251 | necessary to verify the submission. This information can be, for | 1315 | necessary to verify the submission. This information can be, for |
@@ -1924,13 +1988,13 @@ case $@{WYDAWCA_DIST_FILE@} in | |||
1924 | if tar -xOf $@{WYDAWCA_DIST_FILE@} --occurrence=1 \ | 1988 | if tar -xOf $@{WYDAWCA_DIST_FILE@} --occurrence=1 \ |
1925 | --wildcards --no-wildcards-match-slash '*/Makefile.in' | \ | 1989 | --wildcards --no-wildcards-match-slash '*/Makefile.in' | \ |
1926 | grep -q 'perm -777'; then | 1990 | grep -q 'perm -777'; then |
1927 | fmt <<_EOF_ | 1991 | fmt <<_EOF_ |
1928 | The top-level Makefile.in in $@{WYDAWCA_DIST_FILE@} changes mode of | 1992 | The top-level Makefile.in in $@{WYDAWCA_DIST_FILE@} changes mode of |
1929 | all the directories below the build tree to 777 before creating | 1993 | all the directories below the build tree to 777 before creating |
1930 | the tarball. This constitutes a security hole (see CVE-2009-4029[1], | 1994 | the tarball. This constitutes a security hole (see CVE-2009-4029[1], |
1931 | for more details). | 1995 | for more details). |
1932 | 1996 | ||
1933 | Please, rebuild the package using a newer Automake (at least v. 1.11.1) | 1997 | Please, rebuild the package using a newer Automake (at least v. 1.11.1) |
1934 | and resubmit. | 1998 | and resubmit. |
1935 | _EOF_ | 1999 | _EOF_ |
1936 | cat <<_EOF_ | 2000 | cat <<_EOF_ |
@@ -2819,12 +2883,17 @@ all-spools @var{arg:@i{list of string}}; | |||
2819 | # @xref{gpg-homedir}. | 2883 | # @xref{gpg-homedir}. |
2820 | gpg-homedir @var{arg:@i{string}}; | 2884 | gpg-homedir @var{arg:@i{string}}; |
2821 | 2885 | ||
2822 | # @r{Define SQL database}. | 2886 | # @r{Define SQL database}. |
2823 | # @xref{sql}. | 2887 | # @xref{sql}. |
2824 | sql @var{id:@i{string}} @{ | 2888 | sql @var{id:@i{string}} @{ |
2889 | # @r{Set the name of the configuration file to read.} | ||
2890 | config-file @var{name:@i{string}}; | ||
2891 | # @r{Set the name of the configuration file group to use.} | ||
2892 | config-group @var{name:@i{string}}; | ||
2893 | |||
2825 | # @r{Set SQL server hostname or IP address.} | 2894 | # @r{Set SQL server hostname or IP address.} |
2826 | host @var{host:@i{string}}; | 2895 | host @var{host:@i{string}}; |
2827 | 2896 | ||
2828 | # @r{Set database name.} | 2897 | # @r{Set database name.} |
2829 | database @var{dbname:@i{string}}; | 2898 | database @var{dbname:@i{string}}; |
2830 | 2899 | ||
diff --git a/src/config.c b/src/config.c index 28734d0..e46c2f5 100644 --- a/src/config.c +++ b/src/config.c | |||
@@ -627,12 +627,17 @@ cb_sql (enum grecs_callback_command cmd, | |||
627 | grecs_error (locus, 0, _("invalid use of block statement")); | 627 | grecs_error (locus, 0, _("invalid use of block statement")); |
628 | } | 628 | } |
629 | return 0; | 629 | return 0; |
630 | } | 630 | } |
631 | 631 | ||
632 | static struct grecs_keyword sql_kw[] = { | 632 | static struct grecs_keyword sql_kw[] = { |