Move database password to the password store
This commit is contained in:
Bob Mottram
parent
e960e983ec
commit
993c0da24c
|
|
@ -874,7 +874,7 @@ function expire_gnusocial_posts {
|
|||
echo '' >> $gnusocial_expire_script
|
||||
echo '$oldate=date(("Y-m-d"), strtotime("-3 months"));' >> $gnusocial_expire_script
|
||||
echo '$username="root";' >> $gnusocial_expire_script
|
||||
echo "\$password=trim(file_get_contents(\"$DATABASE_PASSWORD_FILE\"));" >> $gnusocial_expire_script
|
||||
echo "\$password=shell_exec('${PROJECT_NAME}-pass -u root -a mariadb');" >> $gnusocial_expire_script
|
||||
echo '$database="gnusocial";' >> $gnusocial_expire_script
|
||||
echo '' >> $gnusocial_expire_script
|
||||
echo 'if (!$link = mysql_connect("localhost", $username, $password)) {' >> $gnusocial_expire_script
|
||||
|
|
|
|||
|
|
@ -607,7 +607,7 @@ function expire_postactiv_posts {
|
|||
echo '' >> $postactiv_expire_script
|
||||
echo '$oldate=date(("Y-m-d"), strtotime("-3 months"));' >> $postactiv_expire_script
|
||||
echo '$username="root";' >> $postactiv_expire_script
|
||||
echo "\$password=trim(file_get_contents(\"$DATABASE_PASSWORD_FILE\"));" >> $postactiv_expire_script
|
||||
echo "\$password=shell_exec('${PROJECT_NAME}-pass -u root -a mariadb');" >> $postactiv_expire_script
|
||||
echo '$database="postactiv";' >> $postactiv_expire_script
|
||||
echo '' >> $postactiv_expire_script
|
||||
echo 'if (!$link = mysql_connect("localhost", $username, $password)) {' >> $postactiv_expire_script
|
||||
|
|
|
|||
|
|
@ -63,10 +63,7 @@ ADMIN_NAME=
|
|||
# Sites are suspended so that verification should work
|
||||
SUSPENDED_SITE=
|
||||
|
||||
DATABASE_PASSWORD=''
|
||||
if [ -f /root/dbpass ]; then
|
||||
DATABASE_PASSWORD=$(cat /root/dbpass)
|
||||
fi
|
||||
DATABASE_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
|
||||
|
||||
function make_backup_directory {
|
||||
# make a backup directory on the drive
|
||||
|
|
|
|||
|
|
@ -70,10 +70,7 @@ if [ ! -f /home/${ADMIN_USERNAME}/backup.list ]; then
|
|||
fi
|
||||
|
||||
# MariaDB password
|
||||
DATABASE_PASSWORD=''
|
||||
if [ -f /root/dbpass ]; then
|
||||
DATABASE_PASSWORD=$(cat /root/dbpass)
|
||||
fi
|
||||
DATABASE_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
|
||||
|
||||
# local directory where the backup will be made
|
||||
if [ ! -d $SERVER_DIRECTORY ]; then
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ function get_backup_key_id {
|
|||
grep 'pub ' | awk -F ' ' '{print $2}' | \
|
||||
awk -F '/' '{print $2}')
|
||||
if [ ${#MY_BACKUP_KEY_ID} -lt 4 ]; then
|
||||
echo $"gpg backup key was not found"
|
||||
echo $"Error: gpg backup key was not found"
|
||||
return 58213
|
||||
fi
|
||||
}
|
||||
|
|
@ -141,12 +141,12 @@ get_backup_key_id
|
|||
MASTER_PASSWORD=$(gpg -q --armor --export-secret-key $MY_BACKUP_KEY_ID | sed '/---/d' | sed '/Version/d' | sed '/^$/d')
|
||||
|
||||
if [ ! $CURR_USERNAME ]; then
|
||||
echo $'No username given'
|
||||
echo $'Error: No username given'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -d /home/$CURR_USERNAME ]; then
|
||||
echo $"User $CURR_USERNAME does not exist"
|
||||
echo $"Error: User $CURR_USERNAME does not exist"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
|
|
@ -158,7 +158,7 @@ if [ ${REMOVE_APP} ]; then
|
|||
fi
|
||||
|
||||
if [ ! $CURR_APP ]; then
|
||||
echo $'No app name given'
|
||||
echo $'Error: No app name given'
|
||||
exit 3
|
||||
fi
|
||||
|
||||
|
|
|
|||
|
|
@ -44,7 +44,8 @@ ADMIN_EMAIL_ADDRESS=${ADMIN_USERNAME}@${HOSTNAME}
|
|||
# Frequency - daily/weekly
|
||||
BACKUP_TYPE='daily'
|
||||
|
||||
MYSQL_ROOT_PASSWORD=$(cat /root/dbpass)
|
||||
MYSQL_ROOT_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
|
||||
|
||||
TEMPFILE=/root/repair-database-$DATABASE
|
||||
|
||||
umask 0077
|
||||
|
|
|
|||
|
|
@ -66,10 +66,7 @@ if [ -f $COMPLETION_FILE ]; then
|
|||
fi
|
||||
|
||||
# MariaDB password
|
||||
DATABASE_PASSWORD=''
|
||||
if [ -f /root/dbpass ]; then
|
||||
DATABASE_PASSWORD=$(cat /root/dbpass)
|
||||
fi
|
||||
DATABASE_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
|
||||
|
||||
function check_backup_exists {
|
||||
if [ ! -d $USB_MOUNT/backup ]; then
|
||||
|
|
@ -182,18 +179,14 @@ function restore_mariadb {
|
|||
echo $"Restoring mysql settings"
|
||||
temp_restore_dir=/root/tempmariadb
|
||||
restore_directory_from_usb $temp_restore_dir mariadb
|
||||
echo $"Get the MariaDB password from the backup"
|
||||
if [ ! -f ${temp_restore_dir}${temp_restore_dir}/db ]; then
|
||||
echo $"MariaDB password file not found"
|
||||
exit 495
|
||||
fi
|
||||
BACKUP_MARIADB_PASSWORD=$(cat ${temp_restore_dir}${temp_restore_dir}/db)
|
||||
if [[ $BACKUP_MARIADB_PASSWORD != $DATABASE_PASSWORD ]]; then
|
||||
echo $'Obtaining MariaDB password'
|
||||
db_pass=$(${PROJECT_NAME}-pass -u root -a mariadb)
|
||||
if [ ${#db_pass} -gt 0 ]; then
|
||||
echo $"Restore the MariaDB user table"
|
||||
mysqlsuccess=$(mysql -u root --password=$DATABASE_PASSWORD mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
|
||||
mysqlsuccess=$(mysql -u root --password="$DATABASE_PASSWORD" mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
|
||||
if [ ! "$?" = "0" ]; then
|
||||
echo $"Try again using the password obtained from backup"
|
||||
mysqlsuccess=$(mysql -u root --password=$BACKUP_MARIADB_PASSWORD mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
|
||||
mysqlsuccess=$(mysql -u root --password="$db_pass" mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
|
||||
fi
|
||||
if [ ! "$?" = "0" ]; then
|
||||
echo "$mysqlsuccess"
|
||||
|
|
@ -204,14 +197,10 @@ function restore_mariadb {
|
|||
echo $"Restarting database"
|
||||
service mysql restart
|
||||
echo $"Change the MariaDB password to the backup version"
|
||||
DATABASE_PASSWORD=$BACKUP_MARIADB_PASSWORD
|
||||
DATABASE_PASSWORD="$db_pass"
|
||||
${PROJECT_NAME}-pass -u root -a mariadb -p "$DATABASE_PASSWORD"
|
||||
fi
|
||||
shred -zu ${temp_restore_dir}${temp_restore_dir}/db
|
||||
rm -rf $temp_restore_dir
|
||||
|
||||
# Change database password file
|
||||
echo "$DATABASE_PASSWORD" > /root/dbpass
|
||||
chmod 600 /root/dbpass
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
@ -723,9 +712,9 @@ check_admin_user
|
|||
copy_gpg_keys
|
||||
restore_configfiles
|
||||
same_admin_user
|
||||
restore_passwordstore
|
||||
restore_mariadb
|
||||
restore_letsencrypt
|
||||
restore_passwordstore
|
||||
restore_tor
|
||||
restore_mutt_settings
|
||||
restore_gpg
|
||||
|
|
|
|||
|
|
@ -94,10 +94,7 @@ else
|
|||
fi
|
||||
|
||||
# MariaDB password
|
||||
DATABASE_PASSWORD=''
|
||||
if [ -f /root/dbpass ]; then
|
||||
DATABASE_PASSWORD=$(cat /root/dbpass)
|
||||
fi
|
||||
DATABASE_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
|
||||
|
||||
function copy_gpg_keys {
|
||||
echo $"Copying GPG keys from admin user to root"
|
||||
|
|
@ -176,18 +173,15 @@ function restore_mariadb {
|
|||
echo $"Restoring MariaDB settings"
|
||||
temp_restore_dir=/root/tempmariadb
|
||||
restore_directory_from_friend $temp_restore_dir mariadb
|
||||
echo $"Get the MariaDB password from the backup"
|
||||
if [ ! -f ${temp_restore_dir}${temp_restore_dir}/db ]; then
|
||||
echo $"MariaDB password file not found"
|
||||
exit 495
|
||||
fi
|
||||
BACKUP_MARIADB_PASSWORD=$(cat ${temp_restore_dir}${temp_restore_dir}/db)
|
||||
if [[ "$BACKUP_MARIADB_PASSWORD" != "$DATABASE_PASSWORD" ]]; then
|
||||
|
||||
echo $'Obtaining MariaDB password'
|
||||
db_pass=$(${PROJECT_NAME}-pass -u root -a mariadb)
|
||||
if [ ${#db_pass} -gt 0 ]; then
|
||||
echo $"Restore the MariaDB user table"
|
||||
mysqlsuccess=$(mysql -u root --password="$DATABASE_PASSWORD" mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
|
||||
if [ ! "$?" = "0" ]; then
|
||||
echo $"Try again using the password obtained from backup"
|
||||
mysqlsuccess=$(mysql -u root --password="$BACKUP_MARIADB_PASSWORD" mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
|
||||
mysqlsuccess=$(mysql -u root --password="$db_pass" mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
|
||||
fi
|
||||
if [ ! "$?" = "0" ]; then
|
||||
echo "$mysqlsuccess"
|
||||
|
|
@ -196,14 +190,10 @@ function restore_mariadb {
|
|||
echo $"Restarting database"
|
||||
service mysql restart
|
||||
echo $"Change the MariaDB password to the backup version"
|
||||
DATABASE_PASSWORD=$BACKUP_MARIADB_PASSWORD
|
||||
DATABASE_PASSWORD="$db_pass"
|
||||
${PROJECT_NAME}-pass -u root -a mariadb -p "$DATABASE_PASSWORD"
|
||||
fi
|
||||
shred -zu ${temp_restore_dir}${temp_restore_dir}/db
|
||||
rm -rf ${temp_restore_dir}
|
||||
|
||||
# Change database password file
|
||||
echo "$DATABASE_PASSWORD" > /root/dbpass
|
||||
chmod 600 /root/dbpass
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
@ -659,9 +649,9 @@ ${PROJECT_NAME}-recoverkey -u ${ADMIN_USERNAME} -l $BACKUP_LIST
|
|||
|
||||
copy_gpg_keys
|
||||
restore_configfiles
|
||||
restore_passwordstore
|
||||
restore_mariadb
|
||||
restore_letsencrypt
|
||||
restore_passwordstore
|
||||
restore_mutt_settings
|
||||
restore_gpg
|
||||
restore_procmail
|
||||
|
|
|
|||
|
|
@ -34,10 +34,6 @@ MARIADB_PASSWORD=
|
|||
# Used to indicate whether the backup contains MariaDB databases or not
|
||||
BACKUP_INCLUDES_DATABASES="no"
|
||||
|
||||
# contains the mysql root password which
|
||||
# is used for backups and repair
|
||||
DATABASE_PASSWORD_FILE=/root/dbpass
|
||||
|
||||
function remove_backup_database_local {
|
||||
database_name=$1
|
||||
|
||||
|
|
@ -114,9 +110,18 @@ function backup_database_local {
|
|||
}
|
||||
|
||||
function get_mariadb_password {
|
||||
# migrate from database password file to using the password store
|
||||
DATABASE_PASSWORD_FILE=/root/dbpass
|
||||
if [ -f $DATABASE_PASSWORD_FILE ]; then
|
||||
MARIADB_PASSWORD=$(cat $DATABASE_PASSWORD_FILE)
|
||||
${PROJECT_NAME}-pass -u root -a mariadb -p "$MARIADB_PASSWORD"
|
||||
if [[ "$(${PROJECT_NAME}-pass -u root -a mariadb)" == "$MARIADB_PASSWORD" ]]; then
|
||||
shred -zu $DATABASE_PASSWORD_FILE
|
||||
echo $'MariaDB password moved into password store'
|
||||
return
|
||||
fi
|
||||
fi
|
||||
MARIADB_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
|
||||
}
|
||||
|
||||
function install_mariadb {
|
||||
|
|
@ -135,8 +140,7 @@ function install_mariadb {
|
|||
else
|
||||
MARIADB_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
|
||||
fi
|
||||
echo "$MARIADB_PASSWORD" > $DATABASE_PASSWORD_FILE
|
||||
chmod 600 $DATABASE_PASSWORD_FILE
|
||||
${PROJECT_NAME}-pass -u root -a mariadb -p "$MARIADB_PASSWORD"
|
||||
fi
|
||||
|
||||
debconf-set-selections <<< "mariadb-server mariadb-server/root_password password $MARIADB_PASSWORD"
|
||||
|
|
@ -164,8 +168,7 @@ function backup_databases_script_header {
|
|||
echo '' >> /usr/bin/backupdatabases
|
||||
echo "EMAIL='$MY_EMAIL_ADDRESS'" >> /usr/bin/backupdatabases
|
||||
echo '' >> /usr/bin/backupdatabases
|
||||
echo -n 'MYSQL_PASSWORD=$(cat ' >> /usr/bin/backupdatabases
|
||||
echo "$DATABASE_PASSWORD_FILE)" >> /usr/bin/backupdatabases
|
||||
echo "MYSQL_PASSWORD=\$(${PROJECT_NAME}-pass -u root -a mariadb)" >> /usr/bin/backupdatabases
|
||||
echo 'umask 0077' >> /usr/bin/backupdatabases
|
||||
echo '' >> /usr/bin/backupdatabases
|
||||
echo '# exit if we are backing up to friends servers' >> /usr/bin/backupdatabases
|
||||
|
|
@ -207,7 +210,8 @@ function repair_databases_script {
|
|||
return
|
||||
fi
|
||||
|
||||
if [ ! -f $DATABASE_PASSWORD_FILE ]; then
|
||||
db_pass=$(${PROJECT_NAME}-pass -u root -p mariadb)
|
||||
if [[ "$db_pass" == 'Error:'* ]]; then
|
||||
return
|
||||
fi
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue