Skip to content
This repository has been archived by the owner on Jan 15, 2019. It is now read-only.

[dev.icinga.com #4565] create_mysqldb.sh saves db password in globally readable log #1329

Closed
icinga-migration opened this issue Aug 15, 2013 · 19 comments
Milestone

Comments

@icinga-migration
Copy link

This issue has been migrated from Redmine: https://dev.icinga.com/issues/4565

Created by theh on 2013-08-15 11:14:17 +00:00

Assignee: Tommi
Status: Resolved (closed on 2014-01-03 17:10:09 +00:00)
Target Version: 1.11
Last Update: 2014-12-08 14:38:14 +00:00 (in Redmine)

Icinga Version: 1.10.0
OS Version: any

If create_mysqldb.sh and probably the other db creation scripts are used to set up the db a log is created which consists the password of the db. This log is stored in the same directory as the script thous it is normally globally readable.

Changesets

2013-09-14 08:59:10 +00:00 by Tommi cdad5c5

idoutils: add option for user defined mysql password to create_mysql.sh #4565
refs: #4565

2014-01-03 15:15:58 +00:00 by (unknown) 1c149de

Merge branch 'fix/createdb-logging-rights-4565' into next

Fixes #4565
@icinga-migration
Copy link
Author

Updated by Tommi on 2013-08-18 18:54:55 +00:00

  • Status changed from New to Feedback
  • Done % changed from 0 to 90

hopefully fixed in https://git.icinga.org/?p=icinga-core.git;a=commit;h=238b3a48d7dd442a1cae9ce33abd03c8c1a4587d. Pls check it.

@icinga-migration
Copy link
Author

Updated by theh on 2013-08-21 08:01:02 +00:00

Hey, thanks for the quick reply, it does work but there would be still the issue that the icinga db user password would be saved in the script.

I would add something like the following to the script so that the password could be changed by the user but is still saved in the log which is only accessible by root thanks to your patch.

echo -n "Enter the new password for the new database user $DBUSER : "
read DBPASS
if [ -z "$DBPASS" ]; then
    echo "No password is not an option" 2>&1
    exit 1
else
    echo "You can find the password (again) in the logfile generated at the end."
fi

@icinga-migration
Copy link
Author

Updated by theh on 2013-08-26 09:55:42 +00:00

  • Status changed from Feedback to 8

Would this change be Ok? This would also prevent having a default password for icinga db users.

@icinga-migration
Copy link
Author

Updated by mfriedrich on 2013-08-26 11:12:06 +00:00

isn't that the wrong section?

@icinga-migration
Copy link
Author

Updated by Tommi on 2013-08-26 13:32:44 +00:00

I would like to stay with the default password because this is in all of the documentation mentioned. But i can add an additional question for a user supplied password. The "create user" command can be moved out of the logged script part, therefore the password should not appear in the logfile.

@icinga-migration
Copy link
Author

Updated by Tommi on 2013-08-26 13:35:20 +00:00

  • Project changed from 14 to 18
  • Category set to 26
  • Priority changed from High to Normal
  • (unknown custom field) set to 1
  • (unknown custom field) set to MySQL
  • (unknown custom field) set to 5

changed section and priority as it isnt a serious show stopper

@icinga-migration
Copy link
Author

Updated by theh on 2013-08-28 07:37:53 +00:00

What about:

echo -n "Enter the new password for the new database user $DBUSER (press enter to use the default) : " 
read TEMPPASS
if [ -z "$TEMPPASS" ]; then
    echo "Using the default password $DBPASS"
else
    DBPASS=$TEMPPASS
    echo "You can find the password (again) in the logfile generated at the end." 
fi

@icinga-migration
Copy link
Author

Updated by Tommi on 2013-09-02 18:43:31 +00:00

Looks better, but the script should optionally not ask for anything (used by an unattended zero-click installation).

@icinga-migration
Copy link
Author

Updated by theh on 2013-09-03 06:40:27 +00:00

I don't get it, right now it always asks for the root db password.

@icinga-migration
Copy link
Author

Updated by Tommi on 2013-09-03 18:36:56 +00:00

echo ""|create_maysql.sh

But this works only for the first read. Dont know how to fill in further inputs

@icinga-migration
Copy link
Author

Updated by theh on 2013-09-09 08:32:28 +00:00

Ok, what about this:

echo -n "Enter the new password for the new database user $DBUSER (press enter to use the default) : " 
if test -t 0; then
    read TEMPPASS
fi
if [ -z "$TEMPPASS" ]; then
    echo "Using the default password $DBPASS" 
else
    DBPASS=$TEMPPASS
    echo "You can find the password (again) in the logfile generated at the end." 
fi

@icinga-migration
Copy link
Author

Updated by theh on 2013-09-09 08:33:35 +00:00

Btw. where else would the password needed to be changed if the default isn't used?

@icinga-migration
Copy link
Author

Updated by Tommi on 2013-09-14 09:19:37 +00:00

added a similar option to create_mysql.sh in changeset cdad5c5. It will allow to supply the passwords as parameter too. pls try it out.

changed defaults need to be added to ido2db.cfg (usually located in /etc/icinga), where all database settings are defined.

@icinga-migration
Copy link
Author

Updated by theh on 2013-10-30 09:46:46 +00:00

I have tested your latest changes and they do work fine, thanks.
Will this changes be released with the next Icinga version?

@icinga-migration
Copy link
Author

Updated by Tommi on 2013-10-30 16:52:36 +00:00

  • Status changed from 8 to Resolved
  • Done % changed from 90 to 100

dnsmichi decides which version. Maybe it fits already to the next bugfix release. I'm setting this issue to resolved.

@icinga-migration
Copy link
Author

Updated by mfriedrich on 2013-10-30 16:59:55 +00:00

  • Status changed from Resolved to Feedback
  • Target Version set to 1.11

unmerged commits and their issues must not be resolved.

@icinga-migration
Copy link
Author

Updated by mfriedrich on 2014-01-03 15:16:18 +00:00

  • Is Private changed from 1 to 0

@icinga-migration
Copy link
Author

Updated by Anonymous on 2014-01-03 17:10:09 +00:00

  • Status changed from Feedback to Resolved

Applied in changeset icinga-core:1c149de98110d60c9822e833168412ad481f60c2.

@icinga-migration
Copy link
Author

Updated by mfriedrich on 2014-12-08 14:38:14 +00:00

  • Project changed from 18 to Core, Classic UI, IDOUtils
  • Category changed from 26 to IDOUtils
  • Icinga Version changed from 1 to 1
  • OS Version set to any

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant