[Dbconfig-common-devel] Re: debian-sys-maint now managed by the package dbconfig-common

sean finney seanius at debian.org
Fri Jun 9 07:54:10 UTC 2006


hey georges,

On Fri, Jun 09, 2006 at 01:13:12AM +0200, Georges Khaznadar wrote:
> > i'm curious how you determine whether the account is fully privileged.
> > also, how this works when talking to a remote database, and when the
> > account doesn't exist at all.
> 
> debian_sys_maint_is_master=$(mysql --defaults-extra-file=/etc/mysql/debian.cnf mysql -e "select count(*) from user where User='debian-sys-maint' AND Select_priv='Y' AND Insert_priv='Y' AND Update_priv='Y' AND Delete_priv='Y' AND Create_priv='Y' AND Drop_priv='Y' AND Reload_priv='Y' AND Shutdown_priv='Y' AND Process_priv='Y' AND File_priv='Y' AND Grant_priv='Y' AND References_priv='Y' AND Index_priv='Y' AND Alter_priv='Y' AND Show_db_priv='Y' AND Super_priv='Y' AND Create_tmp_table_priv='Y' AND Lock_tables_priv='Y' AND Execute_priv='Y' AND Repl_slave_priv='Y' AND Repl_client_priv"|tail -1)
> 
> if this variable is assigned the value 1, the account exists and has enough
> privileges.

okay, that's pretty cool.   i think i'm open to doing this; but instead
of having a packager specify some option in the config script, i think
it could even be done automatically.  this would require a small amount
of changes to how things are done now, but i'd been planning some of
these anyway.  this is what i envision:

1 - no longer prompt for the dbadmin password in the config script
2 - have the dbadmin account name default to unset
3 - in the postinst (and any other part of dbc that needs to run
    stuff as dbadmin):
    - if the dbadmin account name is unset (default)
      - if talking to a local server and the debian-sys-maint account
        exists with sufficient privileges, use it as the dbadmin
      - otherwise use root as the dbadmin account
    - otherwise if we can connect as dbadmin (root) without a password, do that
    - otherwise prompt for the dbadmin password

i've been meaning to do (1) anyway, because there are some corner-cases
where it will otherwise ask for the admin password when it's not needed.
adding in (3) after making the changes of (1) and (2) wouldn't be too
hard (i'm doing something similar in the pgsql support).  what do
you think?

> So when the config file is written, if it contains no more than the
> accreditations to use the database, there is no benefit to keep a file
> modified by hand.

except that policy requires it.  generally overwriting config files is
not looked upon very fondly by admins and the debian release managers :)

*however*, if this is something you want to do, it's still possible to
do it without this option.  in your postinst script, after calling
dbc_go, you have everything you need to do this yourself.  

the dbc_generate_include_foo stuff is basically a wrapper around a bunch
of logic on how to call /usr/sbin/dbconfig-generate-include, and you
could always call it yourself without the -U option.  for example,
something like this in your postinst:

	. /usr/share/dbconfig-common/dpkg/postinst
	dbc_go PACKAGE $@

	dbconfig-generate-include -f php /etc/dbconfig-common/PACKAGE.conf > foofile

would do what you want i'm pretty sure.  keep in mind if you're doing
this for a configuration file, it will generally be considered buggy
if you plan on having this package in debian's archive.  i should also
probably remove the commented blurb about the file being managed by
ucf if the file  isn't actually managed by ucf :)

> As the password for the database is generated randomly, after a cycle
> install/purge/install, there is a question asked to determine whether the
> config include file should be modified [N]. The default answer is dangerous,
> because keeping the obsolete random password makes the new installation
> useless. Then bypassing ucf is mandatory.

if you go through a install/purge/install cycle, you shouldn't be prompted
at all.  if you are, it's because the file hasn't been purged from ucf
(which the maintainer is currently required to do according to the dbc
documentation, though i suppose this could be bundled into dbc).

> It has been uploaded at 
> http://debian.ofset.org/dists/etch/main/source/dbconfig-common.diff

i'll take a look at this in the next couple of days, thanks.


	sean


-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/dbconfig-common-devel/attachments/20060609/1a0b8fb9/attachment.pgp


More information about the Dbconfig-common-devel mailing list