REJECT: openerp6.1

Yolanda Robla yolanda.robla at canonical.com
Mon Jul 9 13:28:33 UTC 2012 

The idea is that OpenERP can be used locally or remotely, and we thought 
that should be simpler if we used password authentication. That's the 
reason why we are using that approach.
So do you prefer that i ask for the password in debconf? Maybe also ask 
about the server for the postgres database (localhost or remote host) ?
El 09/07/12 14:38, Martin Pitt escribió:
> Hello Yolanda, Jamie,
>
> Jamie Strandboge [2012-07-09  7:09 -0500]:
>> On Sun, 2012-07-08 at 10:36 -0500, Jamie Strandboge wrote:
>>>   * debian/openerp6.1-full.postinst sets the openerp database password in
>>>     an insecure manner which allows other users to see it via /proc.
>>>     Both the 'psql' and the 'sed' command have this problem (the 'cat'
>>>     that is used will be executed before the psql and sed commands and
>>>     the password put in its place). I suggest using the PGPASSFILE
>>>     environment variable (http://wiki.postgresql.org/wiki/Pgpass) for
>>>     psql (where PGPASSFILE is set to a tmpfile), and perhaps echo'ing
>>>     ('echo' is a shell builtin in dash) the password directly into
>>>     /etc/openerp/openerp-server.conf and then use sed to clean it up. Eg:
>>>       sed -i "s/^\(db_password\s*=.*//' /etc/openerp/openerp-server.conf
>>>       echo "db_password = $pass" >> /etc/openerp/openerp-server.conf
>>
>> In thinking about this some more, the PGPASSFILE won't work for you here
>> since you are trying to add a password, not use an existing one.
>> Instead, I suggest you echo an sql statement into a temp file and then
>> use psql on that. Eg:
>>    echo "ALTER USER openerp WITH PASSWORD '$pass''" > "$tmp"
>>    su - postgres -c "psql -f $tmp"
>
> I have not actually looked at the package, but I want to point out
> that as long as you only need to talk to a PostgreSQL server on the
> same machine you do not need a password at all. You can set up ident
> authentication instead (which just works if you run the OpenERP server
> as a system Unix user and connect as that under the same PostgreSQL
> user name).
>
> If on the other hand the OpenERP server is talking to a remote
> PostgreSQL server and thus needs a password, an approach like what
> Jamie suggested is valid if the password is being asked over debconf
> (instead of being generated automatically).
>
> Thanks,
>
> Martin
>

More information about the ubuntu-archive mailing list