Autoinstallers should read configuration from common files

[andersk]

The autoinstallers should be modified to read the SQL username and password from .my.cnf, and the SQL database name from a configuration file with a common format in the autoinstall directory (so that we can make scripts-remove work, and transfers between accounts easier).

In particular, the status quo of copying the password into the autoinstall means a (now only nearly) silent breach of the SQL database's security in the case where the locker has a couple of ACLs of different sizes -- anyone who can read the autoinstalled software's code can get the password, which the user may not expect.

[price]

Eric writes:

I was shocked today to find out that the scripts autoinstalls don't read the SQL password from ~/.sql/my.cnf, but instead copy the password from there into their own directories without telling the user.

The current state is misleading -- the autoinstaller doesn't ask for the password, and I assumed the autoinstall would do the same thing as the autoinstaller -- and leads to a couple bad consequences:

• It changes the security of my SQL password without telling me. Suppose I want my website's code to be readable by foo-discuss, and writable by foo-request. I would set web_scripts/ to be readable by foo-discuss, and .sql/ only readable by foo-request. When I autoinstall something, all my SQL databases suddenly become writable by foo-discuss and _I wouldn't realize it_.

The autoinstallers hard-code dropping privilege in the special case of "foo-discuss" being system:{any,auth}user, but that's cold comfort. When I decide to make all my web_scripts anyuser readable, it might not occur to me that some program I ran once that never mentioned SQL at all would expose my SQL password, jeopardizing databases that I care about.

• When I change my SQL password, my autoinstalls stop working. I won't check that they work for some time, and users in the meantime likely won't report the outage.

How hard can it be to change configuration lines from

$password='passwd'

to

$password=sed -n s/^password=//p ~/.sql/my.cnf | tr -d '\n' ?

And if fixing it is difficult, could you at least warn the user at install time that you're spewing his SQL password around?

Thanks, Eric