diff options
-rw-r--r-- | NEWS | 20 | ||||
-rw-r--r-- | doc/wydawca.texi | 73 | ||||
-rw-r--r-- | src/config.c | 5 | ||||
-rw-r--r-- | src/sql.c | 10 | ||||
-rw-r--r-- | src/sql.h | 2 |
5 files changed, 106 insertions, 4 deletions
@@ -1,7 +1,7 @@ -Wydawca NEWS -- history of user-visible changes. 2010-01-02 +Wydawca NEWS -- history of user-visible changes. 2010-01-06 Copyright (C) 2007, 2008, 2009, 2010 Sergey Poznyakoff See the end of file for copying conditions. Please send Wydawca bug reports to <bug-wydawca@gnu.org.ua>. @@ -33,12 +33,30 @@ To update your configuration, use the following (extended) sed expression: * Distribution verification. The new keyword `check-script' defines a shell script to verify the submitted tarball. See the documentation, section 4.12 "Distribution Verification", for details. +* New configuration statements + +sql default { + config-file "file"; + config-group "grp"; +} + +The `config-file' statement specifies the SQL configuration file +to use. The `config-group' statement indicates the group in that +file to read. The defaults for both statements depend on the +underlying database implementation. Currently only MySQL is supported, +so the defaults are "/etc/my.cnf" for "file", and "client" for +"group". + +These options can be used to store security-sensitive information +in another file, and thus to relax permission requirements for +wydawca.rc. + * New meta-variables email:admin Full email address of the systems administrator. email:owner Full email address of the project administrator. email:user Full email address of the user who did the upload. diff --git a/doc/wydawca.texi b/doc/wydawca.texi index ab18e47..7e69831 100644 --- a/doc/wydawca.texi +++ b/doc/wydawca.texi @@ -1186,27 +1186,75 @@ releases). A database is defined using @code{sql} block statement: @deffn {Config} sql @var{id} @{ ... @} @smallexample @group sql @var{id} @{ + config-file @var{file}; + config-group @var{group}; host @var{hostname}; database @var{dbname}; user @var{username}; password @var{string}; ssl-ca @var{string}; @} @end group @end smallexample Here, @var{id} is a string uniquely identifying this -database. It is used by another configuration statements (e.g. by +database. It is used by other configuration statements (e.g. by dictionaries, see the next section) to refer to this database. @end deffn +@deffn {Config: sql} config-file @var{name} + Set the name of the @acronym{SQL} configuration file to read. +@end deffn + +@deffn {Config: sql} config-group @var{name} + Set the name of the group in the @acronym{SQL} configuration file, +from where to read configuration options. +@end deffn + + The statements above allow to keep all security-sensitive +information, such as @acronym{SQL} username and password, in an +external configuration file and thus to relax permission requirements +for @file{wydawca.rc}. The exact format of such external configuration +file depends on the flavor of @acronym{SQL} @acronym{DBMS} in use. +As of version @value{VERSION} @command{wydawca} supports only +@samp{MySQL}, so the configuration file is what is called @dfn{option +file} in @samp{MySQL} parlance (@pxref{option-files, Using Option +Files,,mysql,MySQL Manual}). + + For example, suppose your @file{wydawca.rc} contains the following: + +@smallexample +sql default @{ + config-file /etc/wydawca.mysql; + config-group wydawca; +@} +@end smallexample + +@noindent + Then, the @file{/etc/wydawca.mysql} would contain the actual +parameters for accessing the database, e.g.: + +@smallexample +[wydawca] +socket = /var/db/mysql.sock +database = savane +user = savane +pass = guessme +@end smallexample + + Another way to specify database credentials is by using the +statements described below. If you prefer this way, you will have to +tighten the permissions of @file{wydawca.rc} so that no third person +could see the @acronym{SQL} password. The recommended permissions are +@samp{0600}. + @deffn {Config: sql} host @var{hostname}[:@var{port-or-socket}] Set the hostname or @acronym{IP} address of the host running the database. Optional @var{port-or-socket} specifies port number (for @acronym{TCP} connections) or socket name (for @acronym{UNIX} sockets) to use. In the latter case, the @var{hostname} and the colon may be omitted. If, however, it is present, it must be @samp{localhost}. @@ -1240,12 +1288,28 @@ sql default @{ user root; password guessme; @} @end group @end smallexample + It is possible to combine both methods, e.g.: + +@smallexample +@group +sql default @{ + config-file /etc/wydawca.sql; + host project.database.com:3306; + database savane; +@} +@end group +@end smallexample + + Then, @command{wydawca} will attempt to obtain the missing +information (username and password, in this case) from the +@file{/etc/wydawca.sql} file. + @node dictionaries @section Dictionaries @cindex dictionaries @cindex @acronym{PGP} key A @dfn{dictionary} defines the ways to retrieve user information necessary to verify the submission. This information can be, for @@ -1924,13 +1988,13 @@ case $@{WYDAWCA_DIST_FILE@} in if tar -xOf $@{WYDAWCA_DIST_FILE@} --occurrence=1 \ --wildcards --no-wildcards-match-slash '*/Makefile.in' | \ grep -q 'perm -777'; then fmt <<_EOF_ The top-level Makefile.in in $@{WYDAWCA_DIST_FILE@} changes mode of all the directories below the build tree to 777 before creating -the tarball. This constitutes a security hole (see CVE-2009-4029[1], +the tarball. This constitutes a security hole (see CVE-2009-4029[1], for more details). Please, rebuild the package using a newer Automake (at least v. 1.11.1) and resubmit. _EOF_ cat <<_EOF_ @@ -2819,12 +2883,17 @@ all-spools @var{arg:@i{list of string}}; # @xref{gpg-homedir}. gpg-homedir @var{arg:@i{string}}; # @r{Define SQL database}. # @xref{sql}. sql @var{id:@i{string}} @{ + # @r{Set the name of the configuration file to read.} + config-file @var{name:@i{string}}; + # @r{Set the name of the configuration file group to use.} + config-group @var{name:@i{string}}; + # @r{Set SQL server hostname or IP address.} host @var{host:@i{string}}; # @r{Set database name.} database @var{dbname:@i{string}}; diff --git a/src/config.c b/src/config.c index 28734d0..e46c2f5 100644 --- a/src/config.c +++ b/src/config.c @@ -627,12 +627,17 @@ cb_sql (enum grecs_callback_command cmd, grecs_error (locus, 0, _("invalid use of block statement")); } return 0; } static struct grecs_keyword sql_kw[] = { + { "config-file", N_("file"), N_("Read MySQL configuration from <file>"), + grecs_type_string, NULL, offsetof(struct sqlconn, config_file) }, + { "config-group", N_("name"), + N_("Read the named group from the SQL configuration file"), + grecs_type_string, NULL, offsetof(struct sqlconn, config_group) }, { "host", N_("host"), N_("Set SQL server hostname or IP address"), grecs_type_string, NULL, 0, cb_sql_host }, { "database", N_("dbname"), N_("Set database name"), grecs_type_string, NULL, offsetof(struct sqlconn, database), }, { "user", N_("name"), N_("Set SQL user name"), grecs_type_string, NULL, offsetof(struct sqlconn, user) }, @@ -67,18 +67,26 @@ sql_init_dictionary (struct dictionary *dict) abort (); } if (conn->initcount++ == 0) { mysql_init (&conn->mysql); + + if (conn->config_file) + mysql_options (&conn->mysql, MYSQL_READ_DEFAULT_FILE, + conn->config_file); + if (conn->config_group) + mysql_options (&conn->mysql, MYSQL_READ_DEFAULT_GROUP, + conn->config_group); + if (conn->cacert) mysql_ssl_set (&conn->mysql, NULL, NULL, conn->cacert, NULL, NULL); if (!mysql_real_connect (&conn->mysql, conn->host, conn->user, conn->password, conn->database, conn->port, - conn->socket, 0)) + conn->socket, CLIENT_MULTI_RESULTS)) { logmsg (LOG_ERR, _("failed to connect to database %s: error: %s\n"), dict->parmv[0], mysql_error (&conn->mysql)); return 1; } } @@ -16,12 +16,14 @@ #include <mysql/mysql.h> struct sqlconn { char *ident; + char *config_file; + char *config_group; char *host; char *socket; short port; char *database; char *user; char *password; |