archive
/
nextcloud
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #36428 from nextcloud/disable-db-user-create

Browse Source 
add option to disable db user creation trough environment variable
pull/36799/head
Robin Appelman 1 year ago committed by GitHub
parent c6c512a19d b923310580
commit 8bc9e23de5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 53 additions and 44 deletions
Show Stats Download Patch File Download Diff File

6
lib/private/Setup/AbstractDatabase.php
Unescape Escape View File

@ -57,6 +57,8 @@ abstract class AbstractDatabase {
protected $logger;
/** @var ISecureRandom */
protected $random;
/** @var bool */
protected $tryCreateDbUser;
public function __construct(IL10N $trans, SystemConfig $config, LoggerInterface $logger, ISecureRandom $random) {
$this->trans = $trans;
@ -88,6 +90,10 @@ abstract class AbstractDatabase {
$dbPort = !empty($config['dbport']) ? $config['dbport'] : '';
$dbTablePrefix = isset($config['dbtableprefix']) ? $config['dbtableprefix'] : 'oc_';
$createUserConfig = $this->config->getValue("setup_create_db_user", true);
// accept `false` both as bool and string, since setting config values from env will result in a string
$this->tryCreateDbUser = $createUserConfig !== false && $createUserConfig !== "false";
$this->config->setValues([
'dbname' => $dbName,
'dbhost' => $dbHost,

17
lib/private/Setup/MySQL.php
Unescape Escape View File

@ -49,7 +49,14 @@ class MySQL extends AbstractDatabase {
$connection = $this->connect(['dbname' => null]);
}
$this->createSpecificUser($username, new ConnectionAdapter($connection));
if ($this->tryCreateDbUser) {
$this->createSpecificUser($username, new ConnectionAdapter($connection));
}
$this->config->setValues([
'dbuser' => $this->dbUser,
'dbpassword' => $this->dbPassword,
]);
//create the database
$this->createDatabase($connection);
@ -147,8 +154,7 @@ class MySQL extends AbstractDatabase {
. $this->random->generate(2, ISecureRandom::CHAR_UPPER)
. $this->random->generate(2, ISecureRandom::CHAR_LOWER)
. $this->random->generate(2, ISecureRandom::CHAR_DIGITS)
. $this->random->generate(2, $saveSymbols)
;
. $this->random->generate(2, $saveSymbols);
$this->dbPassword = str_shuffle($password);
try {
@ -196,10 +202,5 @@ class MySQL extends AbstractDatabase {
$this->dbUser = $rootUser;
$this->dbPassword = $rootPassword;
}
$this->config->setValues([
'dbuser' => $this->dbUser,
'dbpassword' => $this->dbPassword,
]);
}
}

74
lib/private/Setup/PostgreSQL.php
Unescape Escape View File

@ -45,42 +45,44 @@ class PostgreSQL extends AbstractDatabase {
$connection = $this->connect([
'dbname' => 'postgres'
]);
//check for roles creation rights in postgresql
$builder = $connection->getQueryBuilder();
$builder->automaticTablePrefix(false);
$query = $builder
->select('rolname')
->from('pg_roles')
->where($builder->expr()->eq('rolcreaterole', new Literal('TRUE')))
->andWhere($builder->expr()->eq('rolname', $builder->createNamedParameter($this->dbUser)));
try {
$result = $query->execute();
$canCreateRoles = $result->rowCount() > 0;
} catch (DatabaseException $e) {
$canCreateRoles = false;
}
if ($canCreateRoles) {
$connectionMainDatabase = $this->connect();
//use the admin login data for the new database user
//add prefix to the postgresql user name to prevent collisions
$this->dbUser = 'oc_' . strtolower($username);
//create a new password so we don't need to store the admin config in the config file
$this->dbPassword = \OC::$server->getSecureRandom()->generate(30, ISecureRandom::CHAR_ALPHANUMERIC);
$this->createDBUser($connection);
// Go to the main database and grant create on the public schema
// The code below is implemented to make installing possible with PostgreSQL version 15:
// https://www.postgresql.org/docs/release/15.0/
// From the release notes: For new databases having no need to defend against insider threats, granting CREATE permission will yield the behavior of prior releases
// Therefore we assume that the database is only used by one user/service which is Nextcloud
// Additional services should get installed in a separate database in order to stay secure
// Also see https://www.postgresql.org/docs/15/ddl-schemas.html#DDL-SCHEMAS-PATTERNS
$connectionMainDatabase->executeQuery('GRANT CREATE ON SCHEMA public TO ' . addslashes($this->dbUser));
$connectionMainDatabase->close();
if ($this->tryCreateDbUser) {
//check for roles creation rights in postgresql
$builder = $connection->getQueryBuilder();
$builder->automaticTablePrefix(false);
$query = $builder
->select('rolname')
->from('pg_roles')
->where($builder->expr()->eq('rolcreaterole', new Literal('TRUE')))
->andWhere($builder->expr()->eq('rolname', $builder->createNamedParameter($this->dbUser)));
try {
$result = $query->execute();
$canCreateRoles = $result->rowCount() > 0;
} catch (DatabaseException $e) {
$canCreateRoles = false;
}
if ($canCreateRoles) {
$connectionMainDatabase = $this->connect();
//use the admin login data for the new database user
//add prefix to the postgresql user name to prevent collisions
$this->dbUser = 'oc_' . strtolower($username);
//create a new password so we don't need to store the admin config in the config file
$this->dbPassword = \OC::$server->getSecureRandom()->generate(30, ISecureRandom::CHAR_ALPHANUMERIC);
$this->createDBUser($connection);
// Go to the main database and grant create on the public schema
// The code below is implemented to make installing possible with PostgreSQL version 15:
// https://www.postgresql.org/docs/release/15.0/
// From the release notes: For new databases having no need to defend against insider threats, granting CREATE permission will yield the behavior of prior releases
// Therefore we assume that the database is only used by one user/service which is Nextcloud
// Additional services should get installed in a separate database in order to stay secure
// Also see https://www.postgresql.org/docs/15/ddl-schemas.html#DDL-SCHEMAS-PATTERNS
$connectionMainDatabase->executeQuery('GRANT CREATE ON SCHEMA public TO ' . addslashes($this->dbUser));
$connectionMainDatabase->close();
}
}
$this->config->setValues([

Write Preview
Loading…
Cancel
Save