REJECT: openerp6.1
Jamie Strandboge
jamie at canonical.com
Mon Jul 9 12:09:31 UTC 2012
On Sun, 2012-07-08 at 10:36 -0500, Jamie Strandboge wrote:
> * debian/openerp6.1-full.postinst sets the openerp database password in
> an insecure manner which allows other users to see it via /proc.
> Both the 'psql' and the 'sed' command have this problem (the 'cat'
> that is used will be executed before the psql and sed commands and
> the password put in its place). I suggest using the PGPASSFILE
> environment variable (http://wiki.postgresql.org/wiki/Pgpass) for
> psql (where PGPASSFILE is set to a tmpfile), and perhaps echo'ing
> ('echo' is a shell builtin in dash) the password directly into
> /etc/openerp/openerp-server.conf and then use sed to clean it up. Eg:
> sed -i "s/^\(db_password\s*=.*//' /etc/openerp/openerp-server.conf
> echo "db_password = $pass" >> /etc/openerp/openerp-server.conf
In thinking about this some more, the PGPASSFILE won't work for you here
since you are trying to add a password, not use an existing one.
Instead, I suggest you echo an sql statement into a temp file and then
use psql on that. Eg:
echo "ALTER USER openerp WITH PASSWORD '$pass''" > "$tmp"
su - postgres -c "psql -f $tmp"
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-archive/attachments/20120709/a59161dd/attachment.pgp>
More information about the ubuntu-archive
mailing list