REJECT: openerp6.1

Martin Pitt martin.pitt at ubuntu.com
Mon Jul 9 12:38:23 UTC 2012 

Hello Yolanda, Jamie,

Jamie Strandboge [2012-07-09  7:09 -0500]:
> On Sun, 2012-07-08 at 10:36 -0500, Jamie Strandboge wrote:
> >  * debian/openerp6.1-full.postinst sets the openerp database password in
> >    an insecure manner which allows other users to see it via /proc. 
> >    Both the 'psql' and the 'sed' command have this problem (the 'cat'
> >    that is used will be executed before the psql and sed commands and
> >    the password put in its place). I suggest using the PGPASSFILE 
> >    environment variable (http://wiki.postgresql.org/wiki/Pgpass) for
> >    psql (where PGPASSFILE is set to a tmpfile), and perhaps echo'ing 
> >    ('echo' is a shell builtin in dash) the password directly into
> >    /etc/openerp/openerp-server.conf and then use sed to clean it up. Eg:
> >      sed -i "s/^\(db_password\s*=.*//' /etc/openerp/openerp-server.conf
> >      echo "db_password = $pass" >> /etc/openerp/openerp-server.conf
> 
> In thinking about this some more, the PGPASSFILE won't work for you here
> since you are trying to add a password, not use an existing one.
> Instead, I suggest you echo an sql statement into a temp file and then
> use psql on that. Eg:
>   echo "ALTER USER openerp WITH PASSWORD '$pass''" > "$tmp"
>   su - postgres -c "psql -f $tmp"

I have not actually looked at the package, but I want to point out
that as long as you only need to talk to a PostgreSQL server on the
same machine you do not need a password at all. You can set up ident
authentication instead (which just works if you run the OpenERP server
as a system Unix user and connect as that under the same PostgreSQL
user name). 

If on the other hand the OpenERP server is talking to a remote
PostgreSQL server and thus needs a password, an approach like what
Jamie suggested is valid if the password is being asked over debconf
(instead of being generated automatically).

Thanks,

Martin

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-archive/attachments/20120709/8f351b69/attachment.pgp>

More information about the ubuntu-archive mailing list