Almost never use ' in a password

Started by shealey, October 31, 2011, 12:57:40 PM

Previous topic - Next topic

shealey

Well this is being fun.

I decided to use passphrases for added security. http://xkcd.com/936/ sums up nicely why this is sane.

My squirrelmail passphrase had the word don't in it and my roundcube a possessive 's (or maybe it was the other way round) in any case these caused some exciting things to happen.

Running 'toaster_setup -s squirrelmail' threw a SQL error but 'toaster_setup -s roundcube'  seemed to run ok.

So I then edited the toaster-watcher.conf to remove the 's from the passwords and reran 'toaster_setup -s squirrelmail' which worked, I also reran 'toaster_setup -s roundcube' which exited pretty quickly claiming that the roundcube database access was configured.

After finishing the install, which includes running toaster-watcher.pl I tried to test the webmails:

Roundcube was throwing a php error (well segfualting php) and the issue was a ' in the password in config.php

Squirrelmail doesn't error but neither does it work.

Now the issue seems to me to be that even after changing the passwords in toaster-watcher.conf neither toaster-watcher.pl nor toaster_setup.pl wants to change them in the php config files or in mysql's mysql table. Even after dropping the mysql table and reinstalling mysql 'toaster_setup -s roundcube' still insists that "roundcube database permission already configured".

I appreciate that this is wholly my idiot fault but if there was a -f for force option to force toaster_setup.pl to redo the db permissions that would help, and surely toaster-watcher.pl should check to see that it can access the databases as the users who are meant to access them and fix issues it finds if possible.

I'm also slightly at a loss as to what to do to rectify my problem, without handhacking the permissions for each of the webservices. I'm just about to try uninstalling both roundcube and squirellmail from the ports tree and hoping that then toaster_setup.pl will recreate the database access.

I'll let you know how that goes.

have fun

M

shealey

Well it didn't go well.

I've reinstalled both roundcube and squirrelmail but neither has database access.

running


[root@elen /usr/local/src/]# toaster_setup.pl -s vpopmysql
file_write: wrote 2 lines to /usr/local/vpopmail/etc/vpopmail.mysql
DBI is already installed.
DBD::mysql is already installed.
DBI connect('database=vpopmail;host=localhost;port=3306','vpopmail',...) failed: Access denied for user 'vpopmail'@'localhost' (using password: YES) at /usr/local/lib/perl5/site_perl/5.10.1/Mail/Toaster/Mysql.pm line 132
DBI is already installed.
DBD::mysql is already installed.

/usr/local/bin/toaster_setup.pl script execution complete.


so it looks like all my db access is screwed so I'll have to hand-hack the permissions, or reinstall the toaster from the ground up.

M

matt

Toaster_setup is really a tool for building a mail server. It's not so much designed for "I changed my config, go do everything necessary to make it work."

Rather than forcing its will upon the toaster owner, it merely attempts to build/install anything missing, and when possible, make the necessary configuration changes. The latter can get interesting, when people pre-install or reinstall software, or make configuration changes after the fact. Toaster_setup just isn't smart enough to handle all those many edge cases.

However, toaster-watcher is where stuff like this has been slowly appearing. After I see more than one or two people having a particular problem, I add it to my ToDo list and eventually, a new release appears that solves the problem.


shealey

Thanks for the clarification.

If I find a supply of round tuits I will write you a check all the passwords for database access script to be added to toaster-watcher

M

matt

To work properly, the script will need to check the value of the password settings in their respective config files, make changes to those config files as necessary, and also attempt to log into mysql with the correct credentials. If the login fails, then log into mysql with root privileges and update the password. Finally, test to make sure the mysql login now works as expected.

Bonus points for removing any stale login permissions from mysql before the appropriate GRANTs.

Extra Super Special Bonus Points if you write it in such a way that it works for every database enabled application (spamassassin, roundcube, squirrelmail, phpmyadmin, munin plugins, etc). :)