Opened 13 years ago

Closed 13 years ago

#1169 closed Defect (fixed)

database upgrade may require alternate user

Reported by: Eric Myers Owned by: davea
Priority: Minor Milestone: Undetermined
Component: Server - Setup Version: 6.12.34
Keywords: database upgrade Cc:

Description

The database upgrade step should ask for a database username and password instead of assuming it should use the values in config.xml.

It may be the case that the default project db user listed does not have proper permissions to make changes to the database (add or drop tables or fields in tables), but only has permissions to insert, alter or remove entries. One would set such limited permissions to mitigate damage in the case of an intrusion via sql injection or something similar. But then the database upgrade will fail.

A simple way to avoid this problem is to have the db_update.php script invoke db_init_cli() instead of BoincDb::get_aux(false). This is appropriate because the file is to be run via CLI anyway. Here is a suggested patch:

26,28c26,28
< if( $rc = db_init_cli() ){
<     if( $rc == 1 ) echo "Cannot connect to database server.\n";
<     if( $rc == 2 ) echo "Cannot select the database.\n";
---
> $db = BoincDb::get_aux(false);
> if (!$db) {
>     echo "Can't open database\n";

This doesn't catch the fact that the default db user cannot alter the database -- that is a separate problem -- but it lets the admin use a different db user that does have the proper permissions.

Change History (1)

comment:1 Changed 13 years ago by davea

Resolution: fixed
Status: newclosed

(In [24969]) - upgrade script:

  • prompt user for DB user/passwd if DB updates needed
  • error out immediately if any DB update fails Fixes #1169, #1170
  • create_work: check for duplicate <file_info>s in input template

NOTE: the input template syntax is pretty clunky

Note: See TracTickets for help on using tickets.