From 309cea9e275fd72783f3a9688029e42ad960d070 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Wed, 17 Oct 2012 10:44:11 +0200
Subject: [PATCH] Grant all privileges on all databases to sqladmin and use
 this account for admin users instead of using root user

---
 .../db/configuration/migrate/phpmyadmin       | 19 ++++++++++++++-----
 .../templates/etc/e-smith/sql/init/phpmyadmin |  5 ++++-
 .../etc/phpMyAdmin/sso.inc.php/10All          |  6 +++---
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/root/etc/e-smith/db/configuration/migrate/phpmyadmin b/root/etc/e-smith/db/configuration/migrate/phpmyadmin
index 01732ae..f4c0a23 100644
--- a/root/etc/e-smith/db/configuration/migrate/phpmyadmin
+++ b/root/etc/e-smith/db/configuration/migrate/phpmyadmin
@@ -3,9 +3,18 @@
         || $DB->new_record('phpmyadmin', {type => 'webapp'});
     my $pw = $rec->prop('DbPassword');
     if (not $pw or length($pw) < 57){
-        use MIME::Base64 qw(encode_base64);
+        my $pw = gen_pw();
+        $rec->set_prop('DbPassword', $pw);
+    }
+    $pw = $rec->prop('AdminPassword');
+    if (not $pw or length($pw) < 57){
+        my $pw = gen_pw();
+        $rec->set_prop('AdminPassword', $pw);
+    }
 
-        $pw = "not set due to error";
+    sub gen_pw {
+        use MIME::Base64 qw(encode_base64);
+        my $p = "not set due to error";
         if ( open( RANDOM, "/dev/urandom" ) ){
             my $buf;
             # 57 bytes is a full line of Base64 coding, and contains
@@ -14,15 +23,15 @@
                 warn("Short read from /dev/random: $!");
             }
             else{
-                $pw = encode_base64($buf);
-                chomp $pw;
+                $p = encode_base64($buf);
+                chomp $p;
             }
             close RANDOM;
         }
         else{
             warn "Could not open /dev/urandom: $!";
         }
-        $rec->set_prop('DbPassword', $pw);
+        return $p;
     }
 }
 
diff --git a/root/etc/e-smith/templates/etc/e-smith/sql/init/phpmyadmin b/root/etc/e-smith/templates/etc/e-smith/sql/init/phpmyadmin
index ebe8922..bd862c0 100644
--- a/root/etc/e-smith/templates/etc/e-smith/sql/init/phpmyadmin
+++ b/root/etc/e-smith/templates/etc/e-smith/sql/init/phpmyadmin
@@ -2,6 +2,7 @@
 my $db = $phpmyadmin{'DbName'} || 'phpmyadmin';
 my $user = $phpmyadmin{'DbUser'} || 'phpmyadmin';
 my $pass = $phpmyadmin{'DbPassword'} || 'phpmyadmin';
+my $admpass = $phpmyadmin{'AdminPassword'} || 'adminpass';
 
 my $dbstruct = `rpm -qd ipasserelle-phpmyadmin | grep phpmyadmin.sql`;
 
@@ -40,8 +41,10 @@ REPLACE INTO db (
                    'Y', 'Y', 'Y', 'Y', 'Y',
                    'N', 'Y', 'Y');
 
+GRANT ALL ON *.* TO 'sqladmin'\@'localhost' IDENTIFIED BY '$admpass'
+    WITH GRANT OPTION;
+
 FLUSH PRIVILEGES;
 EOF
 END
 }
-
diff --git a/root/etc/e-smith/templates/etc/phpMyAdmin/sso.inc.php/10All b/root/etc/e-smith/templates/etc/phpMyAdmin/sso.inc.php/10All
index 1a6c975..cf0a363 100644
--- a/root/etc/e-smith/templates/etc/phpMyAdmin/sso.inc.php/10All
+++ b/root/etc/e-smith/templates/etc/phpMyAdmin/sso.inc.php/10All
@@ -1,7 +1,7 @@
 {
 
 use esmith::AccountsDB;
-use esmith::util;
+my $admpass = $phpmyadmin{'AdminPassword'} || 'admpass';
 my $a = esmith::AccountsDB->open_ro or die "Couldn't open AccountsDB\n";
 
 $OUT .= "// login and password for MySQL access\n";
@@ -13,8 +13,8 @@ foreach my $u ($a->users,$a->get('admin')){
     # Members of the admins group automatically have
     # full privileges on MySQL
     if (($a->is_user_in_group($user,'admins')) || ($a->is_user_in_group($user,'mysqladmins'))){
-        $login = 'root';
-        $pass = esmith::util::LdapPassword();
+        $login = 'sqladmin';
+        $pass = $admpass;
     }
     next unless (($login ne '') && ($pass ne ''));
     $OUT .= "// Credentials for $user\n";