From d763247df445a0e485746f49453a024e5285e660 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 1 Mar 2021 19:11:41 +0100 Subject: [PATCH] No need for mysql root password (#912) * Get rid of /etc/yunohost/mysql * Get rid of restore hook for mysql password * Tab -> spaces * declare->local lost while merging conflicts etc * Gotta keep that var --- data/helpers.d/mysql | 26 +++++++++------------- data/hooks/conf_regen/34-mysql | 33 +++++++++++++++++++--------- data/hooks/restore/11-conf_ynh_mysql | 5 ----- src/yunohost/tests/test_apps.py | 15 ++++--------- 4 files changed, 37 insertions(+), 42 deletions(-) delete mode 100644 data/hooks/restore/11-conf_ynh_mysql diff --git a/data/helpers.d/mysql b/data/helpers.d/mysql index 05f75e0a2..6808441b7 100644 --- a/data/helpers.d/mysql +++ b/data/helpers.d/mysql @@ -1,7 +1,5 @@ #!/bin/bash -MYSQL_ROOT_PWD_FILE=/etc/yunohost/mysql - # Open a connection as a user # # example: ynh_mysql_connect_as --user="user" --password="pass" <<< "UPDATE ...;" @@ -49,8 +47,7 @@ ynh_mysql_execute_as_root() { database="--database=$database" fi - ynh_mysql_connect_as --user="root" --password="$(cat $MYSQL_ROOT_PWD_FILE)" \ - $database <<< "$sql" + mysql -B "$database" <<< "$sql" } # Execute a command from a file as root user @@ -75,9 +72,7 @@ ynh_mysql_execute_file_as_root() { database="--database=$database" fi - - ynh_mysql_connect_as --user="root" --password="$(cat $MYSQL_ROOT_PWD_FILE)" \ - $database < "$file" + mysql -B "$database" < "$file" } # Create a database and grant optionnaly privilegies to a user @@ -140,7 +135,7 @@ ynh_mysql_dump_db() { # Manage arguments with getopts ynh_handle_getopts_args "$@" - mysqldump --user="root" --password="$(cat $MYSQL_ROOT_PWD_FILE)" --single-transaction --skip-dump-date "$database" + mysqldump --single-transaction --skip-dump-date "$database" } # Create a user @@ -214,12 +209,13 @@ ynh_mysql_setup_db () { # Manage arguments with getopts ynh_handle_getopts_args "$@" - local new_db_pwd=$(ynh_string_random) # Generate a random password + # Generate a random password + local new_db_pwd=$(ynh_string_random) # If $db_pwd is not provided, use new_db_pwd instead for db_pwd db_pwd="${db_pwd:-$new_db_pwd}" - ynh_mysql_create_db "$db_name" "$db_user" "$db_pwd" # Create the database - ynh_app_setting_set --app=$app --key=mysqlpwd --value=$db_pwd # Store the password in the app's config + ynh_mysql_create_db "$db_name" "$db_user" "$db_pwd" + ynh_app_setting_set --app=$app --key=mysqlpwd --value=$db_pwd } # Remove a database if it exists, and the associated user @@ -232,16 +228,14 @@ ynh_mysql_setup_db () { ynh_mysql_remove_db () { # Declare an array to define the options of this helper. local legacy_args=un - local -A args_array=( [u]=db_user= [n]=db_name= ) + local -Ar args_array=( [u]=db_user= [n]=db_name= ) local db_user local db_name # Manage arguments with getopts ynh_handle_getopts_args "$@" - local mysql_root_password=$(cat $MYSQL_ROOT_PWD_FILE) - if mysqlshow --user=root --password=$mysql_root_password | grep --quiet "^| $db_name" - then # Check if the database exists - ynh_mysql_drop_db $db_name # Remove the database + if mysqlshow | grep -q "^| $db_name "; then + ynh_mysql_drop_db $db_name else ynh_print_warn --message="Database $db_name not found" fi diff --git a/data/hooks/conf_regen/34-mysql b/data/hooks/conf_regen/34-mysql index d9374bbf5..6c9694796 100755 --- a/data/hooks/conf_regen/34-mysql +++ b/data/hooks/conf_regen/34-mysql @@ -1,7 +1,6 @@ #!/bin/bash set -e -MYSQL_PKG="$(dpkg --list | sed -ne 's/^ii \(mariadb-server-[[:digit:].]\+\) .*$/\1/p')" . /usr/share/yunohost/helpers do_pre_regen() { @@ -20,6 +19,7 @@ do_post_regen() { # dpkg-reconfigure will initialize mysql (if it ain't already) # It enabled auth_socket for root, so no need to define any root password... # c.f. : cat /var/lib/dpkg/info/mariadb-server-10.3.postinst | grep install_db -C3 + MYSQL_PKG="$(dpkg --list | sed -ne 's/^ii \(mariadb-server-[[:digit:].]\+\) .*$/\1/p')" dpkg-reconfigure -freadline -u "$MYSQL_PKG" 2>&1 systemctl -q is-active mariadb.service \ @@ -27,17 +27,30 @@ do_post_regen() { sleep 5 - echo "" | mysql && echo "Can't connect to mysql using unix_socket auth ... something went wrong during initial configuration of mysql !?" + echo "" | mysql && echo "Can't connect to mysql using unix_socket auth ... something went wrong during initial configuration of mysql !?" >&2 fi - if [ ! -e /etc/yunohost/mysql ] - then - # Dummy password that's not actually used nor meaningful ... - # (because mysql is supposed to be configured to use unix_socket on new setups) - # but keeping it for legacy - # until we merge https://github.com/YunoHost/yunohost/pull/912 ... - ynh_string_random 10 > /etc/yunohost/mysql - chmod 400 /etc/yunohost/mysql + # Legacy code to get rid of /etc/yunohost/mysql ... + # Nowadays, we can simply run mysql while being run as root of unix_socket/auth_socket is enabled... + if [ -f /etc/yunohost/mysql ]; then + + # This is a trick to check if we're able to use mysql without password + # Expect instances installed in stretch to already have unix_socket + #configured, but not old instances from the jessie/wheezy era + if ! echo "" | mysql + then + password="$(cat /etc/yunohost/mysql)" + # Enable plugin unix_socket for root on localhost + mysql -u root -p"$password" <<< "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED WITH unix_socket WITH GRANT OPTION;" + fi + + # If now we're able to login without password, drop the mysql password + if echo "" | mysql + then + rm /etc/yunohost/mysql + else + echo "Can't connect to mysql using unix_socket auth ... something went wrong while trying to get rid of mysql password !?" >&2 + fi fi # mysql is supposed to be an alias to mariadb... but in some weird case is not diff --git a/data/hooks/restore/11-conf_ynh_mysql b/data/hooks/restore/11-conf_ynh_mysql deleted file mode 100644 index 11353425a..000000000 --- a/data/hooks/restore/11-conf_ynh_mysql +++ /dev/null @@ -1,5 +0,0 @@ -# We don't backup/restore mysql password anymore -# c.f. https://github.com/YunoHost/yunohost/pull/912 - -# This is a dummy empty file as a workaround for -# https://github.com/YunoHost/issues/issues/1553 until it is fixed diff --git a/src/yunohost/tests/test_apps.py b/src/yunohost/tests/test_apps.py index ae8a4829b..b9e9e7530 100644 --- a/src/yunohost/tests/test_apps.py +++ b/src/yunohost/tests/test_apps.py @@ -55,18 +55,11 @@ def clean(): for folderpath in glob.glob("/var/www/*%s*" % test_app): shutil.rmtree(folderpath, ignore_errors=True) - os.system( - "bash -c \"mysql -u root --password=$(cat /etc/yunohost/mysql) 2>/dev/null <<< 'DROP DATABASE %s' \"" - % test_app - ) - os.system( - "bash -c \"mysql -u root --password=$(cat /etc/yunohost/mysql) 2>/dev/null <<< 'DROP USER %s@localhost'\"" - % test_app - ) + os.system("bash -c \"mysql -B 2>/dev/null <<< 'DROP DATABASE %s' \"" % test_app) + os.system("bash -c \"mysql -B 2>/dev/null <<< 'DROP USER %s@localhost'\"" % test_app) - os.system( - "systemctl reset-failed nginx" - ) # Reset failed quota for service to avoid running into start-limit rate ? + # Reset failed quota for service to avoid running into start-limit rate ? + os.system("systemctl reset-failed nginx") os.system("systemctl start nginx") # Clean permissions