From 3c881f9b5411c7c0d92941a743748ff6b7f6da16 Mon Sep 17 00:00:00 2001 From: Kirill Solomko Date: Wed, 20 Jul 2016 12:04:10 +0200 Subject: [PATCH] MT#19407 ngcp-sync-grants disabled password for new users (security) Change-Id: I8196616e42e4cb1c5c302072b83185b8c29f6977 --- sbin/ngcp-sync-grants | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/sbin/ngcp-sync-grants b/sbin/ngcp-sync-grants index 54d612bd..d7716c4a 100755 --- a/sbin/ngcp-sync-grants +++ b/sbin/ngcp-sync-grants @@ -20,6 +20,7 @@ my $grants = {}; my $dbh; my $debug = 0; my $log_offset = 0; +my $password_length = 20; my $recreate_user = 0; @@ -145,10 +146,12 @@ sub apply_grants { my ($top, $user, $host) = @$data; $host = $as if $as; $log_offset = 1; + my $new_user = 0; log_debug(sprintf "[%s]%s", join('.', @$data), $as ? " as $as" : ''); if (!$as && $recreate_user) { if (apply_drop_users($user)) { flush_privs(); + $new_user = 1; } } else { return 0 unless check_grants($ptr->{$key}, $user, $host); @@ -158,14 +161,14 @@ sub apply_grants { $log_offset = 2; log_info(sprintf "revoke all from: %s\@%s", $user, $host); $dbh->do("REVOKE ALL PRIVILEGES, GRANT OPTION FROM $user\@$host"); - if ($DBI::errstr - && - ($DBI::errstr !~ /There is no such grant defined/ && - $DBI::errstr !~ - /revoke all privileges for one or more of the requested users/ - )) { + if ($DBI::errstr) { + if ($DBI::errstr =~ + /revoke all privileges for one or more of the requested users/) { + $new_user = 1; + } elsif ($DBI::errstr !~ /There is no such grant defined/) { die sprintf "Cannot revoke privileges from %s\@%s: %s", $user, $host, $DBI::errstr; + } } } $rc++; @@ -182,6 +185,13 @@ sub apply_grants { $log_offset = 2; } } + if ($new_user) { + $dbh->do("UPDATE user SET Password = '!' + WHERE User = ? AND Host = ?", + undef, $user, $host); + die sprintf "Cannot update %s@%s with disabled password, %s", + $user, $host, $DBI::errstr if $DBI::err; + } } else { die "Unparsable grants structure elemenent: $key"; }