[open-ils-commits] r19244 - branches/rel_2_0/Open-ILS/src/support-scripts (dbs)

svn at svn.open-ils.org svn at svn.open-ils.org
Fri Jan 21 10:49:48 EST 2011 

Author: dbs
Date: 2011-01-21 10:49:45 -0500 (Fri, 21 Jan 2011)
New Revision: 19244

Modified:
   branches/rel_2_0/Open-ILS/src/support-scripts/eg_db_config.pl
Log:
Towards a more secure default setup

Shipping with a default account user name and password is considered
an authentication anti-pattern; see
http://code.google.com/p/owasp-development-guide/wiki/WebAppSecDesignGuide_D2

By making the user select an admin user name and password at the time
they create the database, we avoid the chance that they will forget to
change the default password and leave their system open to access.

Next step is to change the seed data to insert random values for the
admin username and password, then update the documentation accordingly.


Modified: branches/rel_2_0/Open-ILS/src/support-scripts/eg_db_config.pl
===================================================================
--- branches/rel_2_0/Open-ILS/src/support-scripts/eg_db_config.pl	2011-01-21 03:13:14 UTC (rev 19243)
+++ branches/rel_2_0/Open-ILS/src/support-scripts/eg_db_config.pl	2011-01-21 15:49:45 UTC (rev 19244)
@@ -23,8 +23,9 @@
 use Getopt::Long;
 use File::Spec;
 use File::Basename;
+use DBI;
 
-my ($dbhost, $dbport, $dbname, $dbuser, $dbpw, $help);
+my ($dbhost, $dbport, $dbname, $dbuser, $dbpw, $help, $admin_user, $admin_pw);
 my $config_file = '';
 my $build_db_sh = '';
 my $offline_file = '';
@@ -37,8 +38,11 @@
 # Get the directory for this script
 my $script_dir = dirname($0);
 
+=over
+
+=item update_config() - Puts command line specified settings into xml file
+=cut
 sub update_config {
-	# Puts command line specified settings into xml file
 	my ($services, $settings) = @_;
 
 	my $parser = XML::LibXML->new();
@@ -76,7 +80,8 @@
 		die "ERROR: Failed to update the configuration file '$config_file'\n";
 }
 
-# write out the offline config
+=item create_offline_config() - Write out the offline config
+=cut
 sub create_offline_config {
 	my ($setup, $settings) = @_;
 
@@ -95,7 +100,9 @@
 
 	close(FH);
 }
-# Extracts database settings from opensrf.xml
+
+=item get_settings() - Extracts database settings from opensrf.xml
+=cut
 sub get_settings {
 	my $settings = shift;
 
@@ -117,7 +124,8 @@
 	$settings->{pw} = $settings->{pw} || $opensrf_config->findnodes($pw);
 }
 
-# Creates the database schema by calling build-db.sh
+=item create_schema() - Creates the database schema by calling build-db.sh
+=cut
 sub create_schema {
 	my $settings = shift;
 
@@ -130,6 +138,31 @@
 	chdir($script_dir);
 }
 
+=item set_admin_account() - Sets the administrative user's user name and password
+=cut
+sub set_admin_account {
+	my $admin_user = shift;
+	my $admin_pw = shift;
+	my $settings = shift;
+
+	my $dbh = DBI->connect('dbi:Pg:dbname=' . $settings->{db} . 
+		';host=' . $settings->{host} . ';port=' . $settings->{port} . ';',
+		 $settings->{user} . "", $settings->{pw} . "", {AutoCommit => 1}
+	);
+	if ($dbh->err) {
+		print STDERR "Could not connect to database to set admin account. ";
+		print STDERR "Error was " . $dbh->errstr . "\n";
+		return;
+	}
+	my $stmt = $dbh->prepare("UPDATE actor.usr SET usrname = ?, passwd = ? WHERE id = 1");
+	$stmt->execute(($admin_user, $admin_pw));
+	if ($dbh->err) {
+		print STDERR "Failed to set admin account. ";
+		print STDERR "Error was " . $dbh->errstr . "\n";
+		return;
+	}
+}
+
 my $offline;
 my $cschema;
 my $uconfig;
@@ -140,6 +173,8 @@
 		"update-config" => \$uconfig,
 		"config-file=s" => \$config_file,
 		"build-db-file=s" => \$build_db_sh,
+		"admin-user=s" => \$admin_user,
+		"admin-password=s" => \$admin_pw,
 		"service=s" => \@services,
 		"user=s" => \$settings{'user'},
 		"password=s" => \$settings{'pw'},
@@ -185,9 +220,12 @@
 get_settings(\%settings);
 
 if ($cschema) { create_schema(\%settings); }
+if ($admin_user && $admin_pw) {
+	set_admin_account($admin_user, $admin_pw, \%settings);
+}
 if ($offline) { create_offline_config($offline_file, \%settings); }
 
-if ((!$cschema && !$uconfig && !$offline) || $help) {
+if ((!$cschema && !$uconfig && !$offline && !$admin_pw) || $help) {
 	print <<HERE;
 
 SYNOPSIS
@@ -244,9 +282,16 @@
 
     --port            port number for database access
 
+    --admin-user      administration user's user name
+
+    --admin-pass      administration user's password
+
 EXAMPLES
    This script is normally used during the initial installation and
-   configuration process.
+   configuration process. This creates the database schema, sets
+   the administration user's user name and password, and modifies your
+   configuration files to include the correct database connection
+   information.
 
    For a single server install, or an install with one web/application
    server and one database server, you will typically want to invoke this
@@ -254,8 +299,8 @@
 
    perl Open-ILS/src/support-scripts/eg_db_config.pl --update-config \
        --service all --create-schema --create-offline \
-       --user evergreen --password evergreen --hostname localhost --port 5432 \
-       --database evergreen 
+       --user <db-user> --password <db-pass> --hostname localhost --port 5432 \
+       --database evergreen --admin-user <admin-user> --admin-pass <admin-pass> 
 
    To update the configuration for a single service - for example, if you
    replicated a database for reporting purposes - just issue the

More information about the open-ils-commits mailing list