diff --git a/livesupport/bin/postInstallStation.sh b/livesupport/bin/postInstallStation.sh index fefb350ed..635b5c158 100755 --- a/livesupport/bin/postInstallStation.sh +++ b/livesupport/bin/postInstallStation.sh @@ -22,7 +22,7 @@ # # # Author : $Author: fgerlits $ -# Version : $Revision: 1.4 $ +# Version : $Revision: 1.5 $ # Location : $Source: /home/paul/cvs2svn-livesupport/newcvsrepo/livesupport/bin/postInstallStation.sh,v $ #------------------------------------------------------------------------------- #------------------------------------------------------------------------------- @@ -286,6 +286,21 @@ fi rm -f $group_tmp_file; +#------------------------------------------------------------------------------- +# Install the new pg_hba.conf file +#------------------------------------------------------------------------------- +echo "Modifying postgresql access permissions..."; + +pg_config_dir=/etc/postgresql +pg_config_file=pg_hba.conf +pg_config_file_saved=pg_hba.conf.before-livesupport + +if [ -f $pg_config_dir/$pg_config_file ] ; then + mf -f $pg_config_dir/$pg_config_file $pg_config_dir/$pg_config_file_saved ; +fi +cp $install_etc/$pg_config_file $pg_config_dir/$pg_config_file + + #------------------------------------------------------------------------------- # Create the necessary database user and database itself #------------------------------------------------------------------------------- diff --git a/livesupport/etc/Makefile.in b/livesupport/etc/Makefile.in index 919edb862..d72da9519 100644 --- a/livesupport/etc/Makefile.in +++ b/livesupport/etc/Makefile.in @@ -20,8 +20,8 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # -# Author : $Author: tomas $ -# Version : $Revision: 1.17 $ +# Author : $Author: fgerlits $ +# Version : $Revision: 1.18 $ # Location : $Source: /home/paul/cvs2svn-livesupport/newcvsrepo/livesupport/etc/Makefile.in,v $ #------------------------------------------------------------------------------- @@ -431,6 +431,7 @@ install: setup compile create_database install_modules install_products ${CP} ${ETC_DIR}/apache/*.conf ${USR_ETC_DIR}/apache ${MKDIR} ${USR_BIN_DIR} ${CP} ${BIN_DIR}/postInstallStation.sh ${USR_BIN_DIR} + ${CP} ${ETC_DIR}/pg_hba.conf ${USR_ETC_DIR} create_database: ifeq (@CREATE_LS_DATABASE@,yes) diff --git a/livesupport/etc/debian/rules b/livesupport/etc/debian/rules index ca353e445..43098340e 100755 --- a/livesupport/etc/debian/rules +++ b/livesupport/etc/debian/rules @@ -116,6 +116,7 @@ install-arch: mv -f $(CURDIR)/debian/livesupport/opt/livesupport/var/cache \ $(CURDIR)/debian/livesupport-station/opt/livesupport/var mv -f $(CURDIR)/debian/livesupport/opt/livesupport/etc/apache \ + $(CURDIR)/debian/livesupport/opt/livesupport/etc/pg_hba.conf \ $(CURDIR)/debian/livesupport-station/opt/livesupport/etc # now separate the studio (client) files into debian/livesupport-studio diff --git a/livesupport/etc/pg_hba.conf b/livesupport/etc/pg_hba.conf new file mode 100644 index 000000000..8d7d88b7a --- /dev/null +++ b/livesupport/etc/pg_hba.conf @@ -0,0 +1,104 @@ +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the PostgreSQL Administrator's Guide, chapter "Client +# Authentication" for a complete description. A short synopsis +# follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of seven forms: +# +# local DATABASE USER METHOD [OPTION] +# host DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION] +# hostssl DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION] +# hostnossl DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION] +# host DATABASE USER IP-ADDRESS/CIDR-MASK METHOD [OPTION] +# hostssl DATABASE USER IP-ADDRESS/CIDR-MASK METHOD [OPTION] +# hostnossl DATABASE USER IP-ADDRESS/CIDR-MASK METHOD [OPTION] +# +# (The uppercase quantities should be replaced by actual values.) +# The first field is the connection type: "local" is a Unix-domain socket, +# "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an +# SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket. +# DATABASE can be "all", "sameuser", "samegroup", a database name (or +# a comma-separated list thereof), or a file name prefixed with "@". +# USER can be "all", an actual user name or a group name prefixed with +# "+", an include file prefixed with "@" or a list containing either. +# IP-ADDRESS and IP-MASK specify the set of hosts the record matches. +# CIDR-MASK is an integer between 0 and 32 (IPv6) or 128(IPv6) +# inclusive, that specifies the number of significant bits in the +# mask, so an IPv4 CIDR-MASK of 8 is equivalent to an IP-MASK of +# 255.0.0.0, and an IPv6 CIDR-MASK of 64 is equivalent to an IP-MASK +# of ffff:ffff:ffff:ffff::. METHOD can be "trust", "reject", "md5", +# "crypt", "password", "krb5", "ident", or "pam". Note that +# "password" uses clear-text passwords; "md5" is preferred for +# encrypted passwords. OPTION is the ident map or the name of the PAM +# service. +# +# INCLUDE FILES: +# If you use include files for users and/or databases (see PostgreSQL +# documentation, section 19.1), these files must be placed in the +# database directory. Usually this is /var/lib/postgres/data/, but +# that can be changed in /etc/postgresql/postmaster.conf with the +# POSTGRES_DATA variable. Putting them in /etc/postgresql/ will NOT +# work since the configuration files are only symlinked from +# POSTGRES_DATA. +# +# This file is read on server startup and when the postmaster receives +# a SIGHUP signal. If you edit the file on a running system, you have +# to SIGHUP the postmaster for the changes to take effect, or use +# "pg_ctl reload". +# +# Upstream default configuration +# +# The following configuration is the upstream default, which allows +# unrestricted access to amy database by any user on the local machine. +# +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD +# +#local all all trust +# IPv4-style local connections: +#host all all 127.0.0.1 255.255.255.255 trust +# IPv6-style local connections: +# +# Put your actual configuration here +# ---------------------------------- +# +# This default configuration allows any local user to connect as himself +# without a password, either through a Unix socket or through TCP/IP; users +# on other machines are denied access. +# +# If you want to allow non-local connections, you need to add more +# "host" records before the final line that rejects all TCP/IP connections. +# Also, remember TCP/IP connections are only enabled if you enable +# "tcpip_socket" in /etc/postgresql/postgresql.conf. +# +# DO NOT DISABLE! +# If you change this first entry you will need to make sure the postgres user +# can access the database using some other method. The postgres user needs +# non-interactive access to all databases during automatic maintenance +# (see the vacuum command and the /usr/lib/postgresql/bin/do.maintenance +# script). +# +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD +# Database administrative login by UNIX sockets +local all postgres ident sameuser +# +# All other connections by UNIX sockets +local all all ident sameuser +# +# The following line was inserted by the livesupport-station package installer +# the original pg_hba.conf file is saved under pg_hba.conf.before-livesupport +host all all 127.0.0.1 255.255.255.255 password +# +# All IPv4 connections from localhost +host all all 127.0.0.1 255.255.255.255 ident sameuser +# +# All IPv6 localhost connections +host all all ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ident sameuser +host all all ::ffff:127.0.0.1/128 ident sameuser +# +# reject all other connection attempts +host all all 0.0.0.0 0.0.0.0 reject +