From 993c0da24cebdb3208def3a25fdaa649788a494a Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@robotics.uk.to>
Date: Sun, 20 Nov 2016 20:39:14 +0000
Subject: [PATCH] Move database password to the password store
---
src/freedombone-app-gnusocial | 2 +-
src/freedombone-app-postactiv | 2 +-
src/freedombone-backup-local | 5 +----
src/freedombone-backup-remote | 5 +----
src/freedombone-pass | 8 ++++----
src/freedombone-repair-database | 3 ++-
src/freedombone-restore-local | 29 +++++++++--------------------
src/freedombone-restore-remote | 28 +++++++++-------------------
src/freedombone-utils-database | 22 +++++++++++++---------
9 files changed, 41 insertions(+), 63 deletions(-)
diff --git a/src/freedombone-app-gnusocial b/src/freedombone-app-gnusocial
index c5682fa5d..f5ee64ebc 100755
--- a/src/freedombone-app-gnusocial
+++ b/src/freedombone-app-gnusocial
@@ -874,7 +874,7 @@ function expire_gnusocial_posts {
echo '' >> $gnusocial_expire_script
echo '$oldate=date(("Y-m-d"), strtotime("-3 months"));' >> $gnusocial_expire_script
echo '$username="root";' >> $gnusocial_expire_script
- echo "\$password=trim(file_get_contents(\"$DATABASE_PASSWORD_FILE\"));" >> $gnusocial_expire_script
+ echo "\$password=shell_exec('${PROJECT_NAME}-pass -u root -a mariadb');" >> $gnusocial_expire_script
echo '$database="gnusocial";' >> $gnusocial_expire_script
echo '' >> $gnusocial_expire_script
echo 'if (!$link = mysql_connect("localhost", $username, $password)) {' >> $gnusocial_expire_script
diff --git a/src/freedombone-app-postactiv b/src/freedombone-app-postactiv
index 5164a9709..db82af0c6 100755
--- a/src/freedombone-app-postactiv
+++ b/src/freedombone-app-postactiv
@@ -607,7 +607,7 @@ function expire_postactiv_posts {
echo '' >> $postactiv_expire_script
echo '$oldate=date(("Y-m-d"), strtotime("-3 months"));' >> $postactiv_expire_script
echo '$username="root";' >> $postactiv_expire_script
- echo "\$password=trim(file_get_contents(\"$DATABASE_PASSWORD_FILE\"));" >> $postactiv_expire_script
+ echo "\$password=shell_exec('${PROJECT_NAME}-pass -u root -a mariadb');" >> $postactiv_expire_script
echo '$database="postactiv";' >> $postactiv_expire_script
echo '' >> $postactiv_expire_script
echo 'if (!$link = mysql_connect("localhost", $username, $password)) {' >> $postactiv_expire_script
diff --git a/src/freedombone-backup-local b/src/freedombone-backup-local
index abdd1399d..279982eb2 100755
--- a/src/freedombone-backup-local
+++ b/src/freedombone-backup-local
@@ -63,10 +63,7 @@ ADMIN_NAME=
# Sites are suspended so that verification should work
SUSPENDED_SITE=
-DATABASE_PASSWORD=''
-if [ -f /root/dbpass ]; then
- DATABASE_PASSWORD=$(cat /root/dbpass)
-fi
+DATABASE_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
function make_backup_directory {
# make a backup directory on the drive
diff --git a/src/freedombone-backup-remote b/src/freedombone-backup-remote
index e24e8ed53..2507f3abf 100755
--- a/src/freedombone-backup-remote
+++ b/src/freedombone-backup-remote
@@ -70,10 +70,7 @@ if [ ! -f /home/${ADMIN_USERNAME}/backup.list ]; then
fi
# MariaDB password
-DATABASE_PASSWORD=''
-if [ -f /root/dbpass ]; then
- DATABASE_PASSWORD=$(cat /root/dbpass)
-fi
+DATABASE_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
# local directory where the backup will be made
if [ ! -d $SERVER_DIRECTORY ]; then
diff --git a/src/freedombone-pass b/src/freedombone-pass
index 709a333c6..16437eaac 100755
--- a/src/freedombone-pass
+++ b/src/freedombone-pass
@@ -54,7 +54,7 @@ function get_backup_key_id {
grep 'pub ' | awk -F ' ' '{print $2}' | \
awk -F '/' '{print $2}')
if [ ${#MY_BACKUP_KEY_ID} -lt 4 ]; then
- echo $"gpg backup key was not found"
+ echo $"Error: gpg backup key was not found"
return 58213
fi
}
@@ -141,12 +141,12 @@ get_backup_key_id
MASTER_PASSWORD=$(gpg -q --armor --export-secret-key $MY_BACKUP_KEY_ID | sed '/---/d' | sed '/Version/d' | sed '/^$/d')
if [ ! $CURR_USERNAME ]; then
- echo $'No username given'
+ echo $'Error: No username given'
exit 1
fi
if [ ! -d /home/$CURR_USERNAME ]; then
- echo $"User $CURR_USERNAME does not exist"
+ echo $"Error: User $CURR_USERNAME does not exist"
exit 2
fi
@@ -158,7 +158,7 @@ if [ ${REMOVE_APP} ]; then
fi
if [ ! $CURR_APP ]; then
- echo $'No app name given'
+ echo $'Error: No app name given'
exit 3
fi
diff --git a/src/freedombone-repair-database b/src/freedombone-repair-database
index 5f03f3b69..781ae807e 100755
--- a/src/freedombone-repair-database
+++ b/src/freedombone-repair-database
@@ -44,7 +44,8 @@ ADMIN_EMAIL_ADDRESS=${ADMIN_USERNAME}@${HOSTNAME}
# Frequency - daily/weekly
BACKUP_TYPE='daily'
-MYSQL_ROOT_PASSWORD=$(cat /root/dbpass)
+MYSQL_ROOT_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
+
TEMPFILE=/root/repair-database-$DATABASE
umask 0077
diff --git a/src/freedombone-restore-local b/src/freedombone-restore-local
index 804fe0a58..1917e7c8b 100755
--- a/src/freedombone-restore-local
+++ b/src/freedombone-restore-local
@@ -66,10 +66,7 @@ if [ -f $COMPLETION_FILE ]; then
fi
# MariaDB password
-DATABASE_PASSWORD=''
-if [ -f /root/dbpass ]; then
- DATABASE_PASSWORD=$(cat /root/dbpass)
-fi
+DATABASE_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
function check_backup_exists {
if [ ! -d $USB_MOUNT/backup ]; then
@@ -182,18 +179,14 @@ function restore_mariadb {
echo $"Restoring mysql settings"
temp_restore_dir=/root/tempmariadb
restore_directory_from_usb $temp_restore_dir mariadb
- echo $"Get the MariaDB password from the backup"
- if [ ! -f ${temp_restore_dir}${temp_restore_dir}/db ]; then
- echo $"MariaDB password file not found"
- exit 495
- fi
- BACKUP_MARIADB_PASSWORD=$(cat ${temp_restore_dir}${temp_restore_dir}/db)
- if [[ $BACKUP_MARIADB_PASSWORD != $DATABASE_PASSWORD ]]; then
+ echo $'Obtaining MariaDB password'
+ db_pass=$(${PROJECT_NAME}-pass -u root -a mariadb)
+ if [ ${#db_pass} -gt 0 ]; then
echo $"Restore the MariaDB user table"
- mysqlsuccess=$(mysql -u root --password=$DATABASE_PASSWORD mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
+ mysqlsuccess=$(mysql -u root --password="$DATABASE_PASSWORD" mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
if [ ! "$?" = "0" ]; then
echo $"Try again using the password obtained from backup"
- mysqlsuccess=$(mysql -u root --password=$BACKUP_MARIADB_PASSWORD mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
+ mysqlsuccess=$(mysql -u root --password="$db_pass" mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
fi
if [ ! "$?" = "0" ]; then
echo "$mysqlsuccess"
@@ -204,14 +197,10 @@ function restore_mariadb {
echo $"Restarting database"
service mysql restart
echo $"Change the MariaDB password to the backup version"
- DATABASE_PASSWORD=$BACKUP_MARIADB_PASSWORD
+ DATABASE_PASSWORD="$db_pass"
+ ${PROJECT_NAME}-pass -u root -a mariadb -p "$DATABASE_PASSWORD"
fi
- shred -zu ${temp_restore_dir}${temp_restore_dir}/db
rm -rf $temp_restore_dir
-
- # Change database password file
- echo "$DATABASE_PASSWORD" > /root/dbpass
- chmod 600 /root/dbpass
fi
}
@@ -723,9 +712,9 @@ check_admin_user
copy_gpg_keys
restore_configfiles
same_admin_user
+restore_passwordstore
restore_mariadb
restore_letsencrypt
-restore_passwordstore
restore_tor
restore_mutt_settings
restore_gpg
diff --git a/src/freedombone-restore-remote b/src/freedombone-restore-remote
index dea13968b..14d0d6261 100755
--- a/src/freedombone-restore-remote
+++ b/src/freedombone-restore-remote
@@ -94,10 +94,7 @@ else
fi
# MariaDB password
-DATABASE_PASSWORD=''
-if [ -f /root/dbpass ]; then
- DATABASE_PASSWORD=$(cat /root/dbpass)
-fi
+DATABASE_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
function copy_gpg_keys {
echo $"Copying GPG keys from admin user to root"
@@ -176,18 +173,15 @@ function restore_mariadb {
echo $"Restoring MariaDB settings"
temp_restore_dir=/root/tempmariadb
restore_directory_from_friend $temp_restore_dir mariadb
- echo $"Get the MariaDB password from the backup"
- if [ ! -f ${temp_restore_dir}${temp_restore_dir}/db ]; then
- echo $"MariaDB password file not found"
- exit 495
- fi
- BACKUP_MARIADB_PASSWORD=$(cat ${temp_restore_dir}${temp_restore_dir}/db)
- if [[ "$BACKUP_MARIADB_PASSWORD" != "$DATABASE_PASSWORD" ]]; then
+
+ echo $'Obtaining MariaDB password'
+ db_pass=$(${PROJECT_NAME}-pass -u root -a mariadb)
+ if [ ${#db_pass} -gt 0 ]; then
echo $"Restore the MariaDB user table"
mysqlsuccess=$(mysql -u root --password="$DATABASE_PASSWORD" mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
if [ ! "$?" = "0" ]; then
echo $"Try again using the password obtained from backup"
- mysqlsuccess=$(mysql -u root --password="$BACKUP_MARIADB_PASSWORD" mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
+ mysqlsuccess=$(mysql -u root --password="$db_pass" mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
fi
if [ ! "$?" = "0" ]; then
echo "$mysqlsuccess"
@@ -196,14 +190,10 @@ function restore_mariadb {
echo $"Restarting database"
service mysql restart
echo $"Change the MariaDB password to the backup version"
- DATABASE_PASSWORD=$BACKUP_MARIADB_PASSWORD
+ DATABASE_PASSWORD="$db_pass"
+ ${PROJECT_NAME}-pass -u root -a mariadb -p "$DATABASE_PASSWORD"
fi
- shred -zu ${temp_restore_dir}${temp_restore_dir}/db
rm -rf ${temp_restore_dir}
-
- # Change database password file
- echo "$DATABASE_PASSWORD" > /root/dbpass
- chmod 600 /root/dbpass
fi
}
@@ -659,9 +649,9 @@ ${PROJECT_NAME}-recoverkey -u ${ADMIN_USERNAME} -l $BACKUP_LIST
copy_gpg_keys
restore_configfiles
+restore_passwordstore
restore_mariadb
restore_letsencrypt
-restore_passwordstore
restore_mutt_settings
restore_gpg
restore_procmail
diff --git a/src/freedombone-utils-database b/src/freedombone-utils-database
index 16bb5258f..dc95a406f 100755
--- a/src/freedombone-utils-database
+++ b/src/freedombone-utils-database
@@ -34,10 +34,6 @@ MARIADB_PASSWORD=
# Used to indicate whether the backup contains MariaDB databases or not
BACKUP_INCLUDES_DATABASES="no"
-# contains the mysql root password which
-# is used for backups and repair
-DATABASE_PASSWORD_FILE=/root/dbpass
-
function remove_backup_database_local {
database_name=$1
@@ -114,9 +110,18 @@ function backup_database_local {
}
function get_mariadb_password {
+ # migrate from database password file to using the password store
+ DATABASE_PASSWORD_FILE=/root/dbpass
if [ -f $DATABASE_PASSWORD_FILE ]; then
MARIADB_PASSWORD=$(cat $DATABASE_PASSWORD_FILE)
+ ${PROJECT_NAME}-pass -u root -a mariadb -p "$MARIADB_PASSWORD"
+ if [[ "$(${PROJECT_NAME}-pass -u root -a mariadb)" == "$MARIADB_PASSWORD" ]]; then
+ shred -zu $DATABASE_PASSWORD_FILE
+ echo $'MariaDB password moved into password store'
+ return
+ fi
fi
+ MARIADB_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
}
function install_mariadb {
@@ -135,8 +140,7 @@ function install_mariadb {
else
MARIADB_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
fi
- echo "$MARIADB_PASSWORD" > $DATABASE_PASSWORD_FILE
- chmod 600 $DATABASE_PASSWORD_FILE
+ ${PROJECT_NAME}-pass -u root -a mariadb -p "$MARIADB_PASSWORD"
fi
debconf-set-selections <<< "mariadb-server mariadb-server/root_password password $MARIADB_PASSWORD"
@@ -164,8 +168,7 @@ function backup_databases_script_header {
echo '' >> /usr/bin/backupdatabases
echo "EMAIL='$MY_EMAIL_ADDRESS'" >> /usr/bin/backupdatabases
echo '' >> /usr/bin/backupdatabases
- echo -n 'MYSQL_PASSWORD=$(cat ' >> /usr/bin/backupdatabases
- echo "$DATABASE_PASSWORD_FILE)" >> /usr/bin/backupdatabases
+ echo "MYSQL_PASSWORD=\$(${PROJECT_NAME}-pass -u root -a mariadb)" >> /usr/bin/backupdatabases
echo 'umask 0077' >> /usr/bin/backupdatabases
echo '' >> /usr/bin/backupdatabases
echo '# exit if we are backing up to friends servers' >> /usr/bin/backupdatabases
@@ -207,7 +210,8 @@ function repair_databases_script {
return
fi
- if [ ! -f $DATABASE_PASSWORD_FILE ]; then
+ db_pass=$(${PROJECT_NAME}-pass -u root -p mariadb)
+ if [[ "$db_pass" == 'Error:'* ]]; then
return
fi
--
GitLab