[evolvis-commits] r18358: completely drop the user_pw column

mirabilos at evolvis.org mirabilos at evolvis.org
Thu Apr 12 20:40:40 CEST 2012


Author: mirabilos
Date: 2012-04-12 20:40:40 +0200 (Thu, 12 Apr 2012)
New Revision: 18358

Removed:
   trunk/gforge_base/evolvisforge-5.1/src/db/20120412-better-nss.sql
Modified:
   trunk/gforge_base/evolvisforge-5.1/src/common/include/User.class.php
   trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php
   trunk/gforge_base/evolvisforge-5.1/src/db/20120412-nuke-md5.sql
   trunk/gforge_base/evolvisforge-5.1/src/deb-specific/db-convert-to-unicode.pl
   trunk/gforge_base/evolvisforge-5.1/src/deb-specific/db-upgrade.pl
   trunk/gforge_base/evolvisforge-5.1/src/deb-specific/gforge-inject.pl
   trunk/gforge_base/evolvisforge-5.1/src/debian/changelog
   trunk/gforge_base/evolvisforge-5.1/src/fusionforge-install-3-db.php
   trunk/gforge_base/evolvisforge-5.1/src/install/install3
   trunk/gforge_base/evolvisforge-5.1/src/univention/ldap2psql.sh
Log:
completely drop the user_pw column

Modified: trunk/gforge_base/evolvisforge-5.1/src/common/include/User.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/common/include/User.class.php	2012-04-12 18:40:36 UTC (rev 18357)
+++ trunk/gforge_base/evolvisforge-5.1/src/common/include/User.class.php	2012-04-12 18:40:40 UTC (rev 18358)
@@ -343,7 +343,7 @@
 		// if we got this far, it must be good
 		$confirm_hash = substr(md5($password1 . util_randbytes() . microtime()),0,16);
 		db_begin();
-		$result = db_query_params ('INSERT INTO users (user_name,user_pw,unix_pw,realname,firstname,lastname,email,add_date,status,confirm_hash,mail_siteupdates,mail_va,language,timezone,jabber_address,jabber_only,unix_box,address,address2,phone,fax,title,ccode,theme_id) VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$20,$21,$22,$23,$24)',
+		$result = db_query_params ('INSERT INTO users (user_name,unix_pw,realname,firstname,lastname,email,add_date,status,confirm_hash,mail_siteupdates,mail_va,language,timezone,jabber_address,jabber_only,unix_box,address,address2,phone,fax,title,ccode,theme_id) VALUES ($1,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$20,$21,$22,$23,$24)',
 					   array ($unix_name,
 						  'X',
 						  account_genunixpw($password1),
@@ -1306,11 +1306,8 @@
 		db_begin();
 		$unix_pw = account_genunixpw ($passwd) ;
 
-		$res = db_query_params ('UPDATE users SET user_pw=$1, unix_pw=$2 WHERE user_id=$3',
-					array ('X',
-					       $unix_pw,
-					       $this->getID())) ;
-
+		$res = db_query_params('UPDATE users SET unix_pw=$1 WHERE user_id=$2',
+		    array($unix_pw, $this->getID()));
 		if (!$res || db_affected_rows($res) < 1) {
 			$this->setError(_('ERROR - Could Not Change User Password:') . ' ' .db_error());
 			db_rollback();

Modified: trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php	2012-04-12 18:40:36 UTC (rev 18357)
+++ trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php	2012-04-12 18:40:40 UTC (rev 18358)
@@ -188,10 +188,9 @@
 	if ($is_valid != 2) {
 		/* Update the database with canonical hashes */
 		$res = db_query_params('UPDATE users
-		    SET user_pw=$1, unix_pw=$2
-		    WHERE user_name=$3',
+		    SET unix_pw=$1
+		    WHERE user_name=$2',
 		    array(
-			'X',
 			account_genunixpw($passwd),
 			$loginname
 		    ));

Modified: trunk/gforge_base/evolvisforge-5.1/src/db/20120412-nuke-md5.sql
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/db/20120412-nuke-md5.sql	2012-04-12 18:40:36 UTC (rev 18357)
+++ trunk/gforge_base/evolvisforge-5.1/src/db/20120412-nuke-md5.sql	2012-04-12 18:40:40 UTC (rev 18358)
@@ -1,4 +1,11 @@
 -- remove the stored MD5-hashed unsalted password for all users
 -- to avoid rainbow table attacks, should the DB ever be leaked
 
-UPDATE users SET user_pw='X';
+DROP VIEW nss_passwd;
+DROP VIEW nss_shadow;
+ALTER TABLE users
+	ALTER COLUMN unix_pw TYPE character varying(128),
+	DROP COLUMN user_pw;
+CREATE VIEW nss_passwd AS SELECT unix_uid AS uid, unix_gid AS gid, user_name AS login, CASE unix_pw WHEN '' THEN 'x' WHEN ':' THEN 'x' ELSE unix_pw END AS passwd, realname AS gecos, shell, user_name AS homedir, status FROM users WHERE unix_status = 'A';
+CREATE VIEW nss_shadow AS SELECT user_name AS login, CASE unix_pw WHEN '' THEN 'x' WHEN ':' THEN 'x' ELSE unix_pw END AS passwd, 'n'::character(1) AS expired, 'n'::character(1) AS pwchange FROM users WHERE unix_status = 'A';
+GRANT SELECT ON nss_passwd TO gforge_nss;

Modified: trunk/gforge_base/evolvisforge-5.1/src/deb-specific/db-convert-to-unicode.pl
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/deb-specific/db-convert-to-unicode.pl	2012-04-12 18:40:36 UTC (rev 18357)
+++ trunk/gforge_base/evolvisforge-5.1/src/deb-specific/db-convert-to-unicode.pl	2012-04-12 18:40:40 UTC (rev 18358)
@@ -166,7 +166,6 @@
 
     convert_column_to_charset ('users', 'user_name', $from, $to, -1) ;
     convert_column_to_charset ('users', 'email', $from, $to, -1) ;
-    convert_column_to_charset ('users', 'user_pw', $from, $to, 32) ;
     convert_column_to_charset ('users', 'realname', $from, $to, 32) ;
     convert_column_to_charset ('users', 'shell', $from, $to, 20) ;
     convert_column_to_charset ('users', 'unix_pw', $from, $to, 40) ;

Modified: trunk/gforge_base/evolvisforge-5.1/src/deb-specific/db-upgrade.pl
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/deb-specific/db-upgrade.pl	2012-04-12 18:40:36 UTC (rev 18357)
+++ trunk/gforge_base/evolvisforge-5.1/src/deb-specific/db-upgrade.pl	2012-04-12 18:40:40 UTC (rev 18358)
@@ -2508,8 +2508,7 @@
 
     &update_with_sql("20120321-add-news-in-activity_vw","5.1-12");
     &update_with_sql("20120329-pfo-rbac", "5.1-12+ev1");
-    &update_with_sql("20120412-nuke-md5", "5.1-12+ev2");
-    &update_with_sql("20120412-better-nss", "5.1-12+ev3");
+    &update_with_sql("20120412-nuke-md5", "5.1-12+ev4");
 
     ########################### INSERT HERE #################################
 

Modified: trunk/gforge_base/evolvisforge-5.1/src/deb-specific/gforge-inject.pl
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/deb-specific/gforge-inject.pl	2012-04-12 18:40:36 UTC (rev 18357)
+++ trunk/gforge_base/evolvisforge-5.1/src/deb-specific/gforge-inject.pl	2012-04-12 18:40:40 UTC (rev 18358)
@@ -115,7 +115,6 @@
     $users{$user}{user_id} 	      	= $passwd{$user}{uid} ;
     $users{$user}{user_name} 	      	= $user ;
     $users{$user}{email} 	      	= "$user\@debian.org" ;
-    $users{$user}{user_pw} 	      	= 'UNKNOWN / OUT OF DATE' ;
     $users{$user}{realname} 	      	= $passwd{$user}{name} ;
     $users{$user}{shell} 	      	= $passwd{$user}{shell} ;
     $users{$user}{unix_pw} 	      	= $shadow{$user}{passwd} ;
@@ -225,12 +224,11 @@
 	    $realname = substr ($realname, 0, 32) ;
 	    $realname = $dbh->quote ($realname) ;
 	    $query = "INSERT INTO users (user_name, email,
-                                         user_pw, realname, status,
+                                         realname, status,
                                          shell, unix_pw, unix_status,
                                          unix_uid, add_date)
                       VALUES ('$users{$user}{user_name}',
                               '$users{$user}{email}',
-                              'X',
                               $realname,
                               '$users{$user}{status}',
                               '$users{$user}{shell}',

Modified: trunk/gforge_base/evolvisforge-5.1/src/debian/changelog
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/debian/changelog	2012-04-12 18:40:36 UTC (rev 18357)
+++ trunk/gforge_base/evolvisforge-5.1/src/debian/changelog	2012-04-12 18:40:40 UTC (rev 18358)
@@ -15,8 +15,9 @@
   * [#2969] Fix errors in Perl scripts
   * Rewrite authentication system; adds {SSHA}, SHA-256, SHA-512
   * Improve nss database view: prevent empty passwd, format problems
+  * Drop storing an unsalted MD5 hash of users’ passwords
 
- -- Thorsten Glaser <t.glaser at tarent.de>  Thu, 12 Apr 2012 19:55:06 +0200
+ -- Thorsten Glaser <t.glaser at tarent.de>  Thu, 12 Apr 2012 20:16:03 +0200
 
 fusionforge (5.1.1+evolvis52) unstable; urgency=high
 

Modified: trunk/gforge_base/evolvisforge-5.1/src/fusionforge-install-3-db.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/fusionforge-install-3-db.php	2012-04-12 18:40:36 UTC (rev 18357)
+++ trunk/gforge_base/evolvisforge-5.1/src/fusionforge-install-3-db.php	2012-04-12 18:40:40 UTC (rev 18358)
@@ -298,9 +298,9 @@
 
 //	run("su - postgres -c \"psql $gforge_db -c \\\"INSERT INTO users (user_name, user_pw, unix_pw) VALUES ('$admin_user', '$pw_md5', '$pw_crypt')\\\"\"");
 		if (file_exists ('/tmp/fusionforge-use-pfo-rbac')) { // USE_PFO_RBAC
-			run("su - postgres -c \"psql $gforge_db -c \\\"INSERT INTO users (user_name, realname, firstname, lastname, email, user_pw, unix_pw, status, theme_id) VALUES ('$admin_user', 'Forge Admin', 'Forge', 'Admin', 'root at localhost.localdomain', '$pw_md5', '$pw_crypt', 'A', 1); INSERT INTO user_group (user_id, group_id, admin_flags) VALUES (currval('users_pk_seq'), 1, 'A'); INSERT INTO pfo_user_role (user_id, role_id) VALUES (currval('users_pk_seq'), 3)\\\"\"");
+			run("su - postgres -c \"psql $gforge_db -c \\\"INSERT INTO users (user_name, realname, firstname, lastname, email, unix_pw, status, theme_id) VALUES ('$admin_user', 'Forge Admin', 'Forge', 'Admin', 'root at localhost.localdomain', '$pw_crypt', 'A', 1); INSERT INTO user_group (user_id, group_id, admin_flags) VALUES (currval('users_pk_seq'), 1, 'A'); INSERT INTO pfo_user_role (user_id, role_id) VALUES (currval('users_pk_seq'), 3)\\\"\"");
 		} else {
-			run("su - postgres -c \"psql $gforge_db -c \\\"INSERT INTO users (user_name, realname, firstname, lastname, email, user_pw, unix_pw, status, theme_id) VALUES ('$admin_user', 'Forge Admin', 'Forge', 'Admin', 'root at localhost.localdomain', '$pw_md5', '$pw_crypt', 'A', 1); INSERT INTO user_group (user_id, group_id, admin_flags) VALUES (currval('users_pk_seq'), 1, 'A')\\\"\"");
+			run("su - postgres -c \"psql $gforge_db -c \\\"INSERT INTO users (user_name, realname, firstname, lastname, email, unix_pw, status, theme_id) VALUES ('$admin_user', 'Forge Admin', 'Forge', 'Admin', 'root at localhost.localdomain', '$pw_crypt', 'A', 1); INSERT INTO user_group (user_id, group_id, admin_flags) VALUES (currval('users_pk_seq'), 1, 'A')\\\"\"");
 		}
 
 //echo "BREAKPOINT 2\n";

Modified: trunk/gforge_base/evolvisforge-5.1/src/install/install3
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/install/install3	2012-04-12 18:40:36 UTC (rev 18357)
+++ trunk/gforge_base/evolvisforge-5.1/src/install/install3	2012-04-12 18:40:40 UTC (rev 18358)
@@ -48,7 +48,7 @@
 create_db_admin_user(){
 	gforge_db="$1"
 	admin_user="$2"
-	su - postgres -c "psql $gforge_db -c \"INSERT INTO users (user_name, realname, firstname, lastname, email, user_pw, unix_pw, status, theme_id) VALUES ('$admin_user', 'Forge Admin', 'Forge', 'Admin', 'root at localhost.localdomain', 'INVALID', 'INVALID', 'A', 1); INSERT INTO user_group (user_id, group_id, admin_flags, role_id) VALUES (currval('users_pk_seq'), 1, 'A',17); INSERT INTO pfo_user_role (user_id, role_id) VALUES (currval('users_pk_seq'), 3)\""
+	su - postgres -c "psql $gforge_db -c \"INSERT INTO users (user_name, realname, firstname, lastname, email, unix_pw, status, theme_id) VALUES ('$admin_user', 'Forge Admin', 'Forge', 'Admin', 'root at localhost.localdomain', 'INVALID', 'A', 1); INSERT INTO user_group (user_id, group_id, admin_flags, role_id) VALUES (currval('users_pk_seq'), 1, 'A',17); INSERT INTO pfo_user_role (user_id, role_id) VALUES (currval('users_pk_seq'), 3)\""
 }
 
 find_psql_init(){

Modified: trunk/gforge_base/evolvisforge-5.1/src/univention/ldap2psql.sh
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/univention/ldap2psql.sh	2012-04-12 18:40:36 UTC (rev 18357)
+++ trunk/gforge_base/evolvisforge-5.1/src/univention/ldap2psql.sh	2012-04-12 18:40:40 UTC (rev 18358)
@@ -104,7 +104,6 @@
 		# modify
 		cmd="$cmd, status='A'"
 		cmd="$cmd, email=$EmailPrimaryAddress"
-		cmd="$cmd, user_pw='X'"
 		cmd="$cmd, unix_pw=$Ecryptpw"
 		cmd="$cmd, realname=$Ern"
 		cmd="$cmd, firstname=$EgivenName"
@@ -113,12 +112,12 @@
 	cmd="$cmd WHERE user_name=$Euid;"
 elif (( taction == 1 )); then
 	# create new entry
-	cmd="INSERT INTO users (user_name, email, user_pw, realname,"
+	cmd="INSERT INTO users (user_name, email, realname,"
 	cmd="$cmd firstname, lastname, shell, unix_uid, unix_gid,"
 	cmd="$cmd add_date, confirm_hash, jabber_only, ccode, unix_pw,"
 	cmd="$cmd timezone, language, mail_siteupdates, mail_va, status,"
 	cmd="$cmd unix_status, sys_state, type_id, theme_id) VALUES ("
-	cmd="$cmd $Euid, $EmailPrimaryAddress, 'X', $Ern,"
+	cmd="$cmd $Euid, $EmailPrimaryAddress, $Ern,"
 	cmd="$cmd $EgivenName, $Esn, '/lib/anonsvnsh', 11, 11,"
 	cmd="$cmd $(date -u +'%s'), $EmodifyTimestamp, 0, 'DE', $Ecryptpw,"
 	cmd="$cmd 'Europe/Berlin', 1, 1, 0, 'A', 'A', 'N', 1,"



More information about the evolvis-commits mailing list