aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--NEWS20
-rw-r--r--doc/wydawca.texi73
-rw-r--r--src/config.c5
-rw-r--r--src/sql.c10
-rw-r--r--src/sql.h2
5 files changed, 106 insertions, 4 deletions
diff --git a/NEWS b/NEWS
index 588a3d2..d4de3c3 100644
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,7 @@
-Wydawca NEWS -- history of user-visible changes. 2010-01-02
+Wydawca NEWS -- history of user-visible changes. 2010-01-06
Copyright (C) 2007, 2008, 2009, 2010 Sergey Poznyakoff
See the end of file for copying conditions.
Please send Wydawca bug reports to <bug-wydawca@gnu.org.ua>.
@@ -33,12 +33,30 @@ To update your configuration, use the following (extended) sed expression:
* Distribution verification.
The new keyword `check-script' defines a shell script to
verify the submitted tarball. See the documentation, section
4.12 "Distribution Verification", for details.
+* New configuration statements
+
+sql default {
+ config-file "file";
+ config-group "grp";
+}
+
+The `config-file' statement specifies the SQL configuration file
+to use. The `config-group' statement indicates the group in that
+file to read. The defaults for both statements depend on the
+underlying database implementation. Currently only MySQL is supported,
+so the defaults are "/etc/my.cnf" for "file", and "client" for
+"group".
+
+These options can be used to store security-sensitive information
+in another file, and thus to relax permission requirements for
+wydawca.rc.
+
* New meta-variables
email:admin Full email address of the systems administrator.
email:owner Full email address of the project administrator.
email:user Full email address of the user who did the upload.
diff --git a/doc/wydawca.texi b/doc/wydawca.texi
index ab18e47..7e69831 100644
--- a/doc/wydawca.texi
+++ b/doc/wydawca.texi
@@ -1186,27 +1186,75 @@ releases).
A database is defined using @code{sql} block statement:
@deffn {Config} sql @var{id} @{ ... @}
@smallexample
@group
sql @var{id} @{
+ config-file @var{file};
+ config-group @var{group};
host @var{hostname};
database @var{dbname};
user @var{username};
password @var{string};
ssl-ca @var{string};
@}
@end group
@end smallexample
Here, @var{id} is a string uniquely identifying this
-database. It is used by another configuration statements (e.g. by
+database. It is used by other configuration statements (e.g. by
dictionaries, see the next section) to refer to this
database.
@end deffn
+@deffn {Config: sql} config-file @var{name}
+ Set the name of the @acronym{SQL} configuration file to read.
+@end deffn
+
+@deffn {Config: sql} config-group @var{name}
+ Set the name of the group in the @acronym{SQL} configuration file,
+from where to read configuration options.
+@end deffn
+
+ The statements above allow to keep all security-sensitive
+information, such as @acronym{SQL} username and password, in an
+external configuration file and thus to relax permission requirements
+for @file{wydawca.rc}. The exact format of such external configuration
+file depends on the flavor of @acronym{SQL} @acronym{DBMS} in use.
+As of version @value{VERSION} @command{wydawca} supports only
+@samp{MySQL}, so the configuration file is what is called @dfn{option
+file} in @samp{MySQL} parlance (@pxref{option-files, Using Option
+Files,,mysql,MySQL Manual}).
+
+ For example, suppose your @file{wydawca.rc} contains the following:
+
+@smallexample
+sql default @{
+ config-file /etc/wydawca.mysql;
+ config-group wydawca;
+@}
+@end smallexample
+
+@noindent
+ Then, the @file{/etc/wydawca.mysql} would contain the actual
+parameters for accessing the database, e.g.:
+
+@smallexample
+[wydawca]
+socket = /var/db/mysql.sock
+database = savane
+user = savane
+pass = guessme
+@end smallexample
+
+ Another way to specify database credentials is by using the
+statements described below. If you prefer this way, you will have to
+tighten the permissions of @file{wydawca.rc} so that no third person
+could see the @acronym{SQL} password. The recommended permissions are
+@samp{0600}.
+
@deffn {Config: sql} host @var{hostname}[:@var{port-or-socket}]
Set the hostname or @acronym{IP} address of the host running the
database. Optional @var{port-or-socket} specifies port number (for
@acronym{TCP} connections) or socket name (for @acronym{UNIX} sockets)
to use. In the latter case, the @var{hostname} and the colon may be
omitted. If, however, it is present, it must be @samp{localhost}.
@@ -1240,12 +1288,28 @@ sql default @{
user root;
password guessme;
@}
@end group
@end smallexample
+ It is possible to combine both methods, e.g.:
+
+@smallexample
+@group
+sql default @{
+ config-file /etc/wydawca.sql;
+ host project.database.com:3306;
+ database savane;
+@}
+@end group
+@end smallexample
+
+ Then, @command{wydawca} will attempt to obtain the missing
+information (username and password, in this case) from the
+@file{/etc/wydawca.sql} file.
+
@node dictionaries
@section Dictionaries
@cindex dictionaries
@cindex @acronym{PGP} key
A @dfn{dictionary} defines the ways to retrieve user information
necessary to verify the submission. This information can be, for
@@ -1924,13 +1988,13 @@ case $@{WYDAWCA_DIST_FILE@} in
if tar -xOf $@{WYDAWCA_DIST_FILE@} --occurrence=1 \
--wildcards --no-wildcards-match-slash '*/Makefile.in' | \
grep -q 'perm -777'; then
fmt <<_EOF_
The top-level Makefile.in in $@{WYDAWCA_DIST_FILE@} changes mode of
all the directories below the build tree to 777 before creating
-the tarball. This constitutes a security hole (see CVE-2009-4029[1],
+the tarball. This constitutes a security hole (see CVE-2009-4029[1],
for more details).
Please, rebuild the package using a newer Automake (at least v. 1.11.1)
and resubmit.
_EOF_
cat <<_EOF_
@@ -2819,12 +2883,17 @@ all-spools @var{arg:@i{list of string}};
# @xref{gpg-homedir}.
gpg-homedir @var{arg:@i{string}};
# @r{Define SQL database}.
# @xref{sql}.
sql @var{id:@i{string}} @{
+ # @r{Set the name of the configuration file to read.}
+ config-file @var{name:@i{string}};
+ # @r{Set the name of the configuration file group to use.}
+ config-group @var{name:@i{string}};
+
# @r{Set SQL server hostname or IP address.}
host @var{host:@i{string}};
# @r{Set database name.}
database @var{dbname:@i{string}};
diff --git a/src/config.c b/src/config.c
index 28734d0..e46c2f5 100644
--- a/src/config.c
+++ b/src/config.c
@@ -627,12 +627,17 @@ cb_sql (enum grecs_callback_command cmd,
grecs_error (locus, 0, _("invalid use of block statement"));
}
return 0;
}
static struct grecs_keyword sql_kw[] = {
+ { "config-file", N_("file"), N_("Read MySQL configuration from <file>"),
+ grecs_type_string, NULL, offsetof(struct sqlconn, config_file) },
+ { "config-group", N_("name"),
+ N_("Read the named group from the SQL configuration file"),
+ grecs_type_string, NULL, offsetof(struct sqlconn, config_group) },
{ "host", N_("host"), N_("Set SQL server hostname or IP address"),
grecs_type_string, NULL, 0, cb_sql_host },
{ "database", N_("dbname"), N_("Set database name"),
grecs_type_string, NULL, offsetof(struct sqlconn, database), },
{ "user", N_("name"), N_("Set SQL user name"),
grecs_type_string, NULL, offsetof(struct sqlconn, user) },
diff --git a/src/sql.c b/src/sql.c
index 0ccc2e7..a4b311e 100644
--- a/src/sql.c
+++ b/src/sql.c
@@ -67,18 +67,26 @@ sql_init_dictionary (struct dictionary *dict)
abort ();
}
if (conn->initcount++ == 0)
{
mysql_init (&conn->mysql);
+
+ if (conn->config_file)
+ mysql_options (&conn->mysql, MYSQL_READ_DEFAULT_FILE,
+ conn->config_file);
+ if (conn->config_group)
+ mysql_options (&conn->mysql, MYSQL_READ_DEFAULT_GROUP,
+ conn->config_group);
+
if (conn->cacert)
mysql_ssl_set (&conn->mysql, NULL, NULL, conn->cacert,
NULL, NULL);
if (!mysql_real_connect (&conn->mysql, conn->host, conn->user,
conn->password, conn->database, conn->port,
- conn->socket, 0))
+ conn->socket, CLIENT_MULTI_RESULTS))
{
logmsg (LOG_ERR, _("failed to connect to database %s: error: %s\n"),
dict->parmv[0], mysql_error (&conn->mysql));
return 1;
}
}
diff --git a/src/sql.h b/src/sql.h
index cf7d636..a4ab2ee 100644
--- a/src/sql.h
+++ b/src/sql.h
@@ -16,12 +16,14 @@
#include <mysql/mysql.h>
struct sqlconn
{
char *ident;
+ char *config_file;
+ char *config_group;
char *host;
char *socket;
short port;
char *database;
char *user;
char *password;

Return to:

Send suggestions and report system problems to the System administrator.