[Dbconfig-common-devel] Re: debian-sys-maint now managed by the package dbconfig-common

Thu Jun 8 23:13:12 UTC 2006

sean finney a écrit :
> >           if set to "debian-sys-maint", dbconfig-common will check if the
> >           database type is mysql, and if debian-sys-maint's account is
> >           fully privileged.  If so, there will be no prompt to ask the
> >           master password.  If debian-sys-maint's account is less
> >           privileged, <dbc_dbadmin> will fall back to its default value:
> >           <dbc_default_admin>.
> 
> i'm curious how you determine whether the account is fully privileged.
> also, how this works when talking to a remote database, and when the
> account doesn't exist at all.

debian_sys_maint_is_master=$(mysql --defaults-extra-file=/etc/mysql/debian.cnf mysql -e "select count(*) from user where User='debian-sys-maint' AND Select_priv='Y' AND Insert_priv='Y' AND Update_priv='Y' AND Delete_priv='Y' AND Create_priv='Y' AND Drop_priv='Y' AND Reload_priv='Y' AND Shutdown_priv='Y' AND Process_priv='Y' AND File_priv='Y' AND Grant_priv='Y' AND References_priv='Y' AND Index_priv='Y' AND Alter_priv='Y' AND Show_db_priv='Y' AND Super_priv='Y' AND Create_tmp_table_priv='Y' AND Lock_tables_priv='Y' AND Execute_priv='Y' AND Repl_slave_priv='Y' AND Repl_client_priv"|tail -1)

if this variable is assigned the value 1, the account exists and has enough
privileges.

Of course this approach makes no sense if the database must be installed
in another host. However, most of the debian packages which I know to install
databases do it on localhost.

> 
> >      dbc_generate_include_noUCF (used in <postinst>)
> >           when this variable is set to something like "true", it enforces
> >           overwriting older include files.
> 
> why would you want to do that, out of curiosity?

For gnuedu, the pair (dbuser, dbpass) is just necessary for enabling the
webserver to access the database. Allowing the administrator to choose
her password as dbpass rather than the one randomly made by pwgen adds 
no bonus.

So when the config file is written, if it contains no more than the
accreditations to use the database, there is no benefit to keep a file
modified by hand.

As the password for the database is generated randomly, after a cycle
install/purge/install, there is a question asked to determine whether the
config include file should be modified [N]. The default answer is dangerous,
because keeping the obsolete random password makes the new installation
useless. Then bypassing ucf is mandatory.

> > Sean, please confirm or infirm whether these new features may be included
> > in your upstream package.
> 
> could you send me a diff against the version from which you modified it?

It has been uploaded at 
http://debian.ofset.org/dists/etch/main/source/dbconfig-common.diff

> 
> in any event, i'd highly suggest subscribing to
> dbconfig-common-devel at lists.alioth.debian.org (i'm cc'ing the list
> with this email), and continuing the conversation there.

done.

Amitiés,			Georges.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/dbconfig-common-devel/attachments/20060609/8fb194f9/attachment.pgp