Does the PG Ruby Gem use pgpass when setting up PostgreSQL connection? - ruby

I'm writing a Ruby script that uses the PG gem to set up a database connection and send files. I'm structuring it to take variables for the hostname, username, database name, and port. In a Shell script I've written to manage some companion tasks, I rely on the password stored in ~/.pgpass instead of having the user enter a password for psql because there are a lot of transactions and sometimes entering the password can fail for no apparent reason (and it sucks entering it in 20 times).
Will PG access the same source when a password isn't explicitly provided? By convention, I've included the password in the file, but since this is being pushed to an internally available repo, I'd prefer not to have that information in my file. I'm trying to test the functionality now, but was wondering if anyone in the SO community knows the answer to this question. If PG doesn't access the .pgpass file, is there a way to reference the variable and write it into the file without prompting the user to enter the password?
Thanks in advance for your help.

Yes, it will use ~/.pgpass just like any interface based on libpq, the C PostgreSQL client library.
However, a good alternative for not having the password in a file is to have it in the PGPASSWORD environment variable. If you set this in a script, it will be inherited by every program it calls.
PGPASSWORD when set will be used as the password for any libpq connection, which means the majority of programs that connect to PostgreSQL.

Related

Is it possible to pass username and password in makefile?

Hi I'm using makefile to do lots of compiling and remote works.
In many occasion I would need to type in username and password for remote connection, VPN, code upload and other stuffs.
May it be possible to use makefile to auto type in the credential information?
Thanks a lot!
It is not the role of make to do this kind of thing. So there is no special support in a Makefile for handling credentials.
However, if you can get a shell script to do the "auto-typing" or provide the required credentials some other way, then you should be able to use the same approach in a Makefile.
We can't advise you on how the script would work, because you have given no actual details of the commands etc that you are using for remote access.
But if you are using ssh from a Linux box, you could use public key authentication and ssh-agent and avoid the problem entirely. This would be a lot more secure than:
using user / password auth at all, and
embedding passwords in your makefiles ... for someone else to find when they steal your laptop or whatever.

Correct way to edit pg_hba.conf

So, I am attempting to create an install script for my application (targeting Ubuntu 16). It has to create a postgresql user, grant permission to that user to authenticate via password, and grant permission to that user to authenticate locally. I only want to grant permission to do that on one database, the application database. So I need to insert the line local databasename username md5 above the lines that reject unknown connections, e.g., in the "Put your actual configuration here" section of pg_hba.conf. (pg_hba.conf uses position in the file to determine priority: first rule encountered that matches the connection gives the final result.)
To add this line, my script runs:
sudo awk '
/# Put your actual configuration here/ {
print "local databasename username md5"
}
{ print }
' /etc/postgresql/9.5/main/pg_hba.conf
# other setup
service postgresql restart
But that's less than optimal. First, the version number will change in the future, so hardcoding the directory is poor. Second, that's making a comment in someone else's project an actual structural part of the config file, which is a horrible idea from all possible points of view in all possible universes.
So my question is twopart. First, is there a good, correct, and accepted method to edit pg_hba.conf that I can use in an installation script instead of kitbashing about with text editors?
Second, if there is no good answer to the first part: is there a programmatic way to ask postgresql where it's pulling pg_hba from?
Is there a programmatic way to ask postgresql where it's pulling pg_hba from?
show hba_file;
-- or
select current_setting('hba_file');
Debian tool chain
So my question is twopart. First, is there a good, correct, and accepted method to edit pg_hba.conf that I can use in an installation script instead of kitbashing about with text editors?
Yes, however, you'll probably find it unsatisfactory.
Upstream, PostgreSQL doesn't support multiple versions and installs with their build tools. Debian does. So Debian has invented a concept of a cluster which is essentially a name and a version number.
Building a tool on Ubuntu or Debian, you should also probably use a name and version number.
Second, if there is no good answer to the first part: is there a programmatic way to ask postgresql where it's pulling pg_hba from?
Yes, there is a tool called pg_conftool. The default cluster's name is main. If you want the 9.5/main cluster. You can do this..
pg_conftool -s 9.5 main show hba_file
/etc/postgresql/9.5/main/pg_hba.conf
You can see conftool can make use of a version and name, but strictly it may not require one.
/usr/bin/pg_conftool [options] [<version> <cluster name>] [<configfile>] <command>
If you want to know more about a cluster in this context, check out check out all the binaries starting with pg_* but first and foremost pg_ctl and pg_ctlcluster (the debian wrapper)

firebird, Bad File Descriptor/Your user name and password are not defined

I am trying to set up a test environment on my mac (os 10.12) and it requires Fishbowl/Firebird DB. No matter what I do i bounce back and forth between these two errors:
isql localhost:/Users/me/Fishbowl/database/data/EXAMPLE.FDB
which gives me:
Your user name and password are not defined. Ask your database
administrator to set up a Firebird login.
And anything to do using gsec to create user or change password:
And:
Statement failed, SQLSTATE = HY000 operating system directive stat
failed
-Bad file descriptor
This is supremely frustrating. Fishbowl Client itself seems to hit this DB just fine. I have chmod 770 the /tmp/firebird directory and even tried to chown the example.fdb file itself.
Can anyone tell me how I might hit this DB from my java app or commandline? Both ways produce these errors.
1) Your connection line starts with "localhost:". That means you user TCP/IP connection to reach the database server. And the database server is running in a separate process. That means chmod and chown should not matter as long as there is firebird daemon server running and listening at TCP port ( default is 3050 AFAIR, you can read the value of your installation in the text file firebird.conf ).
Indeed, there is so-called "embedded server" or "embedded mode" where the server is loaded as DLL/SO library into the application. But then the connection string can not have network protocol prefix, so that should NOT be your case.
2) You can check documentation at http://firebirdsql.org/manual/isql-switches.html to specify your user and password in the isql command line. The Firebird has one built-in superuser, namely "SYSDBA". Regarding the password it might be a bit complicated.... It differs by Firebird version and platform
2.0) whatever SYSDBA password might be set by the server installation, if server comes in a bundle with some application the said application can override it later. Then you would either have to contact application developers or try to remove the bundled FB and install your own vanilla one, risking rendering the application no more functioning.
2.1) Windows installation of FB 2.x sets the "default" SYSDBA password as "masterkey" (only 8 first symbols actually matter)
2.2) Linux installation of FB 2.x generates a random SYSDBA password and saves it into a text file in Firebird folder.
2.3) MacOS ? Don't know. Perhaps it is closer to Linux than to Windows. So try to find such a text file and try "masterkey"
2.4) With FB 3 the authentication methods and configuration was greatly overhauled, so... So it is quite hard to tell something specific. At least for me.
3) I don't know what Fishbowl ever is, but Google suggests this: https://www.fishbowlinventory.com/wiki/Fishbowl_for_Mac
If that is so, then check the bottomline examples at that page. They stress that you should sudo all those commands. That also makes sense because
3.1) Firebird daemon might have "trusted authentication" enabled, mapping FB users to Operating System users. On UNIX that would at least map SYSDBA to root. On Windows - to Administrator (however it is localized). This does not have to be enabled, but if it is then sudo UNIX command is exactly what makes applications run with OS superuser grants and might explain lack of user and password in the command line examples.
3.2) Firebird embedded server/mode work as part of an application process, and especially with CS (Classic Server) package on UNIX the command line utilities tend to fall into this mode. Then again it needs to be run as root to read highly sensitive data from Firebird Security Database, thus the need to sudo the command. Granted, I do not think your isql command might ever run in embedded mode - because you do specify "localhost:' prefix. But the example at the wiki link above - backup and restore - they use local connection strings, so they probably do run as embedded. So that might give you yet another hint - to try remove "localhost:" prefix from the connection string and to sudo isql rather than running it from regular user. It would hardly be a normal mode, but for test purposes why not.
Hope this helps.
PS. you might also try this Firebird IDE - it is simplistic, but again, for testing purposes... http://www.flamerobin.org/dokuwiki/wiki/manual

JDBC via BPXBATCH - how to get TSO-user credentials?

I have a little java program that reads a db2 table via jdbc. This program is invoked via "tso bpxbatch myjavatool".
I wonder if there is the possibility to "pass" the username/password of my TSO user to the JDBC driver?
For example, if I connect to DB2 with a simple REXX script I don't have to specify my username/password again and DB2/RACF checks if my user is allowed to execute the SQLs.
Now my java tool is not running in my TSO address space but under the control of the J9 in the USS address space...
Is there also a way to automatically log in to DB2 with the current TSO user?
I don't know too much about BPXBATCH, but I assume you are still running under your own userid in the USS-address-space.
In your java-code you should be able to get your userid via
String user = System.getProperty("user.name");
As for the password you could try using RACF-Passtickets instead. There is a library IRRRacf.jar in /user/include/java_classes and the corresponding javadoc in IRRRacfDoc.jar in the same directory. the code for generating the Passticket is rather simple:
IRRPassTicket generator = new IRRPassTicket();
String ptkt = generator.generate(user,applid);
then just pass the passticket instead of the password and you should be fine.
Alas, there's several aspects you have to make sure of before using this approach:
Set up RACF to use Passtickets for DB2 - it might already be configured, else you'll have to set up proper profiles in the PTKTDATA-class (See RACF-documentation for more details)
Make sure each user running the code has the proper RACF authorization to use the r_ticketserv callable service (again, see RACF documentation)
Find the correct application-name (applid) for your DB2-system. See the DB2-documentation about using passtickets.

Store passwords in Ruby script

I wrote a helper script in Ruby to handle my file synchronization through some servers. It was used only in my intranet and authentication was made by SSH keys. But now I want to use it where I can't use SSH keys and I want to store the passwords in a config file.
I know, there are some encryption libraries like bcrypt or OpenSSL, but I have a problem with that:
I start my script and enter my passphrase and it is stored in a variable to decrypt my passwords.
My code is open source.
So everybody, who has access with my user to my computer (which would be the first barrier, which I'd like to extend) and looks into the memory (where my passphrase is stored) can decrypt my password file. How is that handled in applications which are relevant to security?
Edith says as a reply to DevDude (but here, because I want to keep my specifications in my question):
But then this configuration file would be plain text and not encrypted. And when I encrypt this file there are two more issues in my opinion:
The super_secret_pwd would be stored in a variable, so when I would search in the memory of the computer, I would find it, wouldnt I?
The master password for encryption would be in the memory as plain text, too.
So the big question is: Is it possible to read plain text variables from the memory? As I know it is possible in C and a big security issue.
What you are looking for is to use a YAML file with the password/API keys. and never check this file into your repo.
Then you can reference this file on your initializers, and maybe make the password a global variable or x, use configatron, etc.
This is basically how production applications work, they read their important settings from a YAML file stored on the server itself.
This is what I use:
#c = configatron
# Per environment settings
app_settings = YAML.load_file('config/secret_stuff.yml')
#c.password = app_settings['super_secret_pwd']
Do not use ENVIRONMENT variables because they have all sort of security issues. They are an antipattern.

Resources