Don't use ~www-data/.pgpass, use /etc/geni-ch/.pgpass

[MarshallBrinn]

It is a bad thing to be placing the database password in ~www-data which is publicly available. We should put the .pgpass file in some public place (e.g. /etc/geni-ch) and then invoke the psql command with the PGPASS= variable set.

This needs to be changed in our import_database.py script and some installation scripts that actually place the file in that location permanently.

Imported from trac ticket #637, created by mbrinn on 06-20-2013 at 10:55, last modified: 03-31-2015 at 14:27

[ahelsing]

I believe the import_database.py diff for this is:

diff --git a/sbin/import_database.py b/sbin/import_database.py
index f91e161.77d9033 100755
--- a/sbin/import_database.py
+++ b/sbin/import_database.py
@@ -91,7 +91,8 @@ class DatabaseImporter:
             run_cmd = ['/bin/bash', filename]
             if as_user:
                 os.chmod(filename, 0777)
-                run_cmd = ['sudo',  '-u', as_user, filename]
+                run_cmd = ['sudo',  '-u', as_user,
+                           'PGPASSFILE=/etc/geni-ch/.pgpass', filename]
             subprocess.call(run_cmd)
         except Exception as e:
             print "Error running shell command: " + " ".join(run_cmd)

I'm not going to bother to make the change myself, because i don't know what the other changes Marshall mentioned are, but i believe that change will do it in terms of making sure www-data uses the right environment variable for all psql-using subcommands spawned by importa_database.py.

Trac comment by chaos on 07-02-2013 at 15:34

[ahelsing]

We also need to edit:

./install-ch.sh:32:  PORTAL_PASSWORD_FILE_USER='www-data'

Note that ~www-data/.pgpass does not exist on nye, and neither of these scripts are ever run on nye.

Trac comment by ahelsing on 08-13-2013 at 16:24