diff options
-rw-r--r-- | NEWS | 20 | ||||
-rw-r--r-- | doc/wydawca.texi | 73 | ||||
-rw-r--r-- | src/config.c | 5 | ||||
-rw-r--r-- | src/sql.c | 10 | ||||
-rw-r--r-- | src/sql.h | 2 |
5 files changed, 106 insertions, 4 deletions
@@ -1,4 +1,4 @@ | |||
1 | Wydawca NEWS -- history of user-visible changes. 2010-01-02 | 1 | Wydawca NEWS -- history of user-visible changes. 2010-01-06 |
2 | Copyright (C) 2007, 2008, 2009, 2010 Sergey Poznyakoff | 2 | Copyright (C) 2007, 2008, 2009, 2010 Sergey Poznyakoff |
3 | See the end of file for copying conditions. | 3 | See the end of file for copying conditions. |
4 | 4 | ||
@@ -36,6 +36,24 @@ The new keyword `check-script' defines a shell script to | |||
36 | verify the submitted tarball. See the documentation, section | 36 | verify the submitted tarball. See the documentation, section |
37 | 4.12 "Distribution Verification", for details. | 37 | 4.12 "Distribution Verification", for details. |
38 | 38 | ||
39 | * New configuration statements | ||
40 | |||
41 | sql default { | ||
42 | config-file "file"; | ||
43 | config-group "grp"; | ||
44 | } | ||
45 | |||
46 | The `config-file' statement specifies the SQL configuration file | ||
47 | to use. The `config-group' statement indicates the group in that | ||
48 | file to read. The defaults for both statements depend on the | ||
49 | underlying database implementation. Currently only MySQL is supported, | ||
50 | so the defaults are "/etc/my.cnf" for "file", and "client" for | ||
51 | "group". | ||
52 | |||
53 | These options can be used to store security-sensitive information | ||
54 | in another file, and thus to relax permission requirements for | ||
55 | wydawca.rc. | ||
56 | |||
39 | * New meta-variables | 57 | * New meta-variables |
40 | 58 | ||
41 | email:admin Full email address of the systems administrator. | 59 | email:admin Full email address of the systems administrator. |
diff --git a/doc/wydawca.texi b/doc/wydawca.texi index ab18e47..7e69831 100644 --- a/doc/wydawca.texi +++ b/doc/wydawca.texi | |||
@@ -1189,6 +1189,8 @@ releases). | |||
1189 | @smallexample | 1189 | @smallexample |
1190 | @group | 1190 | @group |
1191 | sql @var{id} @{ | 1191 | sql @var{id} @{ |
1192 | config-file @var{file}; | ||
1193 | config-group @var{group}; | ||
1192 | host @var{hostname}; | 1194 | host @var{hostname}; |
1193 | database @var{dbname}; | 1195 | database @var{dbname}; |
1194 | user @var{username}; | 1196 | user @var{username}; |
@@ -1199,11 +1201,57 @@ sql @var{id} @{ | |||
1199 | @end smallexample | 1201 | @end smallexample |
1200 | 1202 | ||
1201 | Here, @var{id} is a string uniquely identifying this | 1203 | Here, @var{id} is a string uniquely identifying this |
1202 | database. It is used by another configuration statements (e.g. by | 1204 | database. It is used by other configuration statements (e.g. by |
1203 | dictionaries, see the next section) to refer to this | 1205 | dictionaries, see the next section) to refer to this |
1204 | database. | 1206 | database. |
1205 | @end deffn | 1207 | @end deffn |
1206 | 1208 | ||
1209 | @deffn {Config: sql} config-file @var{name} | ||
1210 | Set the name of the @acronym{SQL} configuration file to read. | ||
1211 | @end deffn | ||
1212 | |||
1213 | @deffn {Config: sql} config-group @var{name} | ||
1214 | Set the name of the group in the @acronym{SQL} configuration file, | ||
1215 | from where to read configuration options. | ||
1216 | @end deffn | ||
1217 | |||
1218 | The statements above allow to keep all security-sensitive | ||
1219 | information, such as @acronym{SQL} username and password, in an | ||
1220 | external configuration file and thus to relax permission requirements | ||
1221 | for @file{wydawca.rc}. The exact format of such external configuration | ||
1222 | file depends on the flavor of @acronym{SQL} @acronym{DBMS} in use. | ||
1223 | As of version @value{VERSION} @command{wydawca} supports only | ||
1224 | @samp{MySQL}, so the configuration file is what is called @dfn{option | ||
1225 | file} in @samp{MySQL} parlance (@pxref{option-files, Using Option | ||
1226 | Files,,mysql,MySQL Manual}). | ||
1227 | |||
1228 | For example, suppose your @file{wydawca.rc} contains the following: | ||
1229 | |||
1230 | @smallexample | ||
1231 | sql default @{ | ||
1232 | config-file /etc/wydawca.mysql; | ||
1233 | config-group wydawca; | ||
1234 | @} | ||
1235 | @end smallexample | ||
1236 | |||
1237 | @noindent | ||
1238 | Then, the @file{/etc/wydawca.mysql} would contain the actual | ||
1239 | parameters for accessing the database, e.g.: | ||
1240 | |||
1241 | @smallexample | ||
1242 | [wydawca] | ||
1243 | socket = /var/db/mysql.sock | ||
1244 | database = savane | ||
1245 | user = savane | ||
1246 | pass = guessme | ||
1247 | @end smallexample | ||
1248 | |||
1249 | Another way to specify database credentials is by using the | ||
1250 | statements described below. If you prefer this way, you will have to | ||
1251 | tighten the permissions of @file{wydawca.rc} so that no third person | ||
1252 | could see the @acronym{SQL} password. The recommended permissions are | ||
1253 | @samp{0600}. | ||
1254 | |||
1207 | @deffn {Config: sql} host @var{hostname}[:@var{port-or-socket}] | 1255 | @deffn {Config: sql} host @var{hostname}[:@var{port-or-socket}] |
1208 | Set the hostname or @acronym{IP} address of the host running the | 1256 | Set the hostname or @acronym{IP} address of the host running the |
1209 | database. Optional @var{port-or-socket} specifies port number (for | 1257 | database. Optional @var{port-or-socket} specifies port number (for |
@@ -1243,6 +1291,22 @@ sql default @{ | |||
1243 | @end group | 1291 | @end group |
1244 | @end smallexample | 1292 | @end smallexample |
1245 | 1293 | ||
1294 | It is possible to combine both methods, e.g.: | ||
1295 | |||
1296 | @smallexample | ||
1297 | @group | ||
1298 | sql default @{ | ||
1299 | config-file /etc/wydawca.sql; | ||
1300 | host project.database.com:3306; | ||
1301 | database savane; | ||
1302 | @} | ||
1303 | @end group | ||
1304 | @end smallexample | ||
1305 | |||
1306 | Then, @command{wydawca} will attempt to obtain the missing | ||
1307 | information (username and password, in this case) from the | ||
1308 | @file{/etc/wydawca.sql} file. | ||
1309 | |||
1246 | @node dictionaries | 1310 | @node dictionaries |
1247 | @section Dictionaries | 1311 | @section Dictionaries |
1248 | @cindex dictionaries | 1312 | @cindex dictionaries |
@@ -1927,7 +1991,7 @@ case $@{WYDAWCA_DIST_FILE@} in | |||
1927 | fmt <<_EOF_ | 1991 | fmt <<_EOF_ |
1928 | The top-level Makefile.in in $@{WYDAWCA_DIST_FILE@} changes mode of | 1992 | The top-level Makefile.in in $@{WYDAWCA_DIST_FILE@} changes mode of |
1929 | all the directories below the build tree to 777 before creating | 1993 | all the directories below the build tree to 777 before creating |
1930 | the tarball. This constitutes a security hole (see CVE-2009-4029[1], | 1994 | the tarball. This constitutes a security hole (see CVE-2009-4029[1], |
1931 | for more details). | 1995 | for more details). |
1932 | 1996 | ||
1933 | Please, rebuild the package using a newer Automake (at least v. 1.11.1) | 1997 | Please, rebuild the package using a newer Automake (at least v. 1.11.1) |
@@ -2822,6 +2886,11 @@ gpg-homedir @var{arg:@i{string}}; | |||
2822 | # @r{Define SQL database}. | 2886 | # @r{Define SQL database}. |
2823 | # @xref{sql}. | 2887 | # @xref{sql}. |
2824 | sql @var{id:@i{string}} @{ | 2888 | sql @var{id:@i{string}} @{ |
2889 | # @r{Set the name of the configuration file to read.} | ||
2890 | config-file @var{name:@i{string}}; | ||
2891 | # @r{Set the name of the configuration file group to use.} | ||
2892 | config-group @var{name:@i{string}}; | ||
2893 | |||
2825 | # @r{Set SQL server hostname or IP address.} | 2894 | # @r{Set SQL server hostname or IP address.} |
2826 | host @var{host:@i{string}}; | 2895 | host @var{host:@i{string}}; |
2827 | 2896 | ||
diff --git a/src/config.c b/src/config.c index 28734d0..e46c2f5 100644 --- a/src/config.c +++ b/src/config.c | |||
@@ -630,6 +630,11 @@ cb_sql (enum grecs_callback_command cmd, | |||
630 | } | 630 | } |
631 | 631 | ||
632 | static struct grecs_keyword sql_kw[] = { | 632 | static struct grecs_keyword sql_kw[] = { |
633 | { "config-file", N_("file"), N_("Read MySQL configuration from <file>"), | ||
634 | grecs_type_string, NULL, offsetof(struct sqlconn, config_file) }, | ||
635 | { "config-group", N_("name"), | ||
636 | N_("Read the named group from the SQL configuration file"), | ||
637 | grecs_type_string, NULL, offsetof(struct sqlconn, config_group) }, | ||
633 | { "host", N_("host"), N_("Set SQL server hostname or IP address"), | 638 | { "host", N_("host"), N_("Set SQL server hostname or IP address"), |
634 | grecs_type_string, NULL, 0, cb_sql_host }, | 639 | grecs_type_string, NULL, 0, cb_sql_host }, |
635 | { "database", N_("dbname"), N_("Set database name"), | 640 | { "database", N_("dbname"), N_("Set database name"), |
@@ -70,12 +70,20 @@ sql_init_dictionary (struct dictionary *dict) | |||
70 | if (conn->initcount++ == 0) | 70 | if (conn->initcount++ == 0) |
71 | { | 71 | { |
72 | mysql_init (&conn->mysql); | 72 | mysql_init (&conn->mysql); |
73 | |||
74 | if (conn->config_file) | ||
75 | mysql_options (&conn->mysql, MYSQL_READ_DEFAULT_FILE, | ||
76 | conn->config_file); | ||
77 | if (conn->config_group) | ||
78 | mysql_options (&conn->mysql, MYSQL_READ_DEFAULT_GROUP, | ||
79 | conn->config_group); | ||
80 | |||
73 | if (conn->cacert) | 81 | if (conn->cacert) |
74 | mysql_ssl_set (&conn->mysql, NULL, NULL, conn->cacert, | 82 | mysql_ssl_set (&conn->mysql, NULL, NULL, conn->cacert, |
75 | NULL, NULL); | 83 | NULL, NULL); |
76 | if (!mysql_real_connect (&conn->mysql, conn->host, conn->user, | 84 | if (!mysql_real_connect (&conn->mysql, conn->host, conn->user, |
77 | conn->password, conn->database, conn->port, | 85 | conn->password, conn->database, conn->port, |
78 | conn->socket, 0)) | 86 | conn->socket, CLIENT_MULTI_RESULTS)) |
79 | { | 87 | { |
80 | logmsg (LOG_ERR, _("failed to connect to database %s: error: %s\n"), | 88 | logmsg (LOG_ERR, _("failed to connect to database %s: error: %s\n"), |
81 | dict->parmv[0], mysql_error (&conn->mysql)); | 89 | dict->parmv[0], mysql_error (&conn->mysql)); |
@@ -19,6 +19,8 @@ | |||
19 | struct sqlconn | 19 | struct sqlconn |
20 | { | 20 | { |
21 | char *ident; | 21 | char *ident; |
22 | char *config_file; | ||
23 | char *config_group; | ||
22 | char *host; | 24 | char *host; |
23 | char *socket; | 25 | char *socket; |
24 | short port; | 26 | short port; |