From 686e2f66386a4603513dc3b731963a061f87a176 Mon Sep 17 00:00:00 2001 From: Chris Koeritz Date: Wed, 7 Feb 2018 15:24:10 -0500 Subject: [PATCH 1/1] prototype password management methods used for getting the mysql password in the revamp script, reading it from cmd line as well as storing for later use. --- scripts/security/password_functions.sh | 70 +++++++++++++++++++++++ scripts/site_avenger/revamp_cakelampvm.sh | 25 +++++--- 2 files changed, 87 insertions(+), 8 deletions(-) create mode 100644 scripts/security/password_functions.sh diff --git a/scripts/security/password_functions.sh b/scripts/security/password_functions.sh new file mode 100644 index 00000000..08409311 --- /dev/null +++ b/scripts/security/password_functions.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# a set of useful functions for managing operations with passwords. +# a set of very simple operations, but the file needs to be protected from +# undesirable access. a good way to do that is to make the file owned by +# root, and for it to have permssions of "600" (full access by owner only), +# and to only try to read the password file when in sudo mode. the first +# two requirements are done automatically by the store_password function. + +# load_password: +# provides a way to read a password out of a file. +# the return value is an echoed password, so this method should always be +# called from within a subshell, e.g.: +# mypass="$(load_password /etc/glorp/secret_passcode)" +# the returned echo will be blank if the function failed. +function load_password() +{ + local passfile="$1"; shift + if [ -z "$passfile" ]; then + echo 'The load_password function needs a filename to read the password from.' + return 1 + fi + local passwd + read passwd < "$passfile" + echo "$passwd" +} + +# stores a password into a password file. the password file should be the +# first parameter and the password should be the second. +# this makes sure that only root can read the file. +function store_password() +{ + local passfile="$1"; shift + local passwd="$1"; shift + if [ -z "$passfile" -o -z "$passwd" ]; then + echo ' +The store_password function needs (1) the file to store the password into, +and (2) the password that should be stored. +' + return 1 + fi + + echo "$passwd" > "$passfile" + test_or_die "writing password into the file $passfile" + + chown root:root "$passfile" + test_or_die "chowning the password file to root ownership for: $passfile" + + chmod 600 "$passfile" + test_or_die "restricting permissions on password file for: $passfile" +} + +# reads a password from the console, without echoing the letters when they +# are typed. the prompt to show the user is required as the first parameter. +# the password read in is returned as an echo, like load_password above. +function read_password() +{ + prompt="$1"; shift + echo -n "$prompt " + # turn off echo but remember former setting. + stty_orig=`stty -g` + stty -echo + read the_passwd + # turn echo back on. + stty $stty_orig + # return the password as an echo. + echo "$the_passwd" +} + + diff --git a/scripts/site_avenger/revamp_cakelampvm.sh b/scripts/site_avenger/revamp_cakelampvm.sh index fe09c4d5..c5cf860f 100644 --- a/scripts/site_avenger/revamp_cakelampvm.sh +++ b/scripts/site_avenger/revamp_cakelampvm.sh @@ -16,21 +16,30 @@ export FEISTY_MEOW_APEX="$( \cd "$WORKDIR/../.." && \pwd )" export NO_HELLO=right source "$FEISTY_MEOW_APEX/scripts/core/launch_feisty_meow.sh" +# load dependencies for our script. source "$FEISTY_MEOW_SCRIPTS/system/common_sysadmin.sh" +source "$FEISTY_MEOW_SCRIPTS/security/password_functions.sh" ############## -# new requirement is to get the sql root password, since we need to do some sql db configuration. -echo -n "Please enter the MySQL root account password: " -# turn off echo but remember former setting. -stty_orig=`stty -g` -stty -echo -read mysql_passwd -# turn echo back on. -stty $stty_orig +# new requirement to have the sql root password, since we need to do some sql db configuration. + +mysql_passwd="$(load_password /etc/mysql/secret_password)" +if [ -z "$mysql_password" ]; then + mysql_password="$(read_password "Please enter the MySQL root account password:")" +# echo -n "Please enter the MySQL root account password: " +# # turn off echo but remember former setting. +# stty_orig=`stty -g` +# stty -echo +# read mysql_passwd +# # turn echo back on. +# stty $stty_orig +fi if [ -z "$mysql_passwd" ]; then echo "This script must have the sql root password to proceed." exit 1 +else + store_password /etc/mysql/secret_password "$mysql_password" fi ############## -- 2.34.1