03/10/2010

Worst web application database design I’ve ever seen

Lately I was given a task of moving some websites/webservices from real boxes to some VMs. Most of the sites were Joomla! applications so moving the installation was quite easy, tar files, check configuration.php for db username/pass/etc and dump the database on the old server and then copy these to the VM. Restore files, import database, minor path changes to configuration.php… that’s about it.

But then it was time to move an “eclass” application. Specifically it was an installation of Open eClass, a web based e-learning software created by Greek Academic Network. So I copied the files, found the configuration file with database credentials, dumped the db and moved it to the VM. The site came up but it was not functioning properly. Course material was missing from the website, but I could certainly see the files on the file system. I dumped the database again and re-imported it. Nothing, the site refused to work as expected. I went back to the original machine and shut down mysql to start it with “–skip-grant-tables” since I didn’t have the root mysql password. MySQL came up, I logged in as root and I typed: “show databases;”

Oh the horror!!!!
I couldn’t believe my eyes…in front of me there were more than 200 databases with the names of courses of the e-elearning platform! I shut down mysqld and restarted it normally. Then I logged in as the “eclass” user and issued the following:
show grants for eclass@localhost;
The output:

| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, CREATE TEMPORARY TABLES, LOCK TABLES ON *.* TO 'eclass'@'localhost' IDENTIFIED BY PASSWORD 'XX' | 
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, CREATE TEMPORARY TABLES, LOCK TABLES ON `eclassdb`.* TO 'eclass'@'localhost'  |

I immediately started thinking that someone had _really_ fucked up the installation. I went to Open eClass website and tried to search for documentation on installation instructions. I downloaded a pdf and I read between the installation instructions:

A “username” and a “password” for MySQL with database creation rights.

.
Okie..let’s translate that to simple english, it needs a ‘root’ mysql account renamed to something else.

I am not a web developer, I do not even consider myself a developer, but this setup makes no sense for me. Who and why decided that it would be a good idea to have a web application’s mysql user being able to create new databases ? Is this application only to be installed on a machine of its own ? If so, it’s such a waste of resources. I can understand the complexity and the extra time that a well designed and correctly normalized database requires, but this isn’t an excuse when creating software to be distributed and widely used by lots of people, especially universities. I can’t judge the application, it actually looks quite useful, but it’s setup certainly has design problems that need to be solved.

And finally, what “if” there is some security hole in the application (sql injections anyone?) and a malicious user starts dropping databases other than the ones belonging to eclass ? Who’s to blame for that ?

My advice to anyone running this application is to have it as isolated as possible from the rest of his infrastructure. Possibly in a virtual machine of its own. And there should be a warning about it on the website.

P.S. Looking at the credits, it seems that I know in person some of its developers, and that makes it ever harder to blog about what I faced. I’ll certainly ask them about this web application the next time I meet them though.

* Filed by kargig at 11:05 under Internet,Linux
Tags: , , , , , , , , ,
* 7 Comments | 15,846 views

08/06/2009

qt libraries upgrade problem for gentoo

To complement alex’s post upgrading Qt libraries in Gentoo with Portage, here’s what started it all. I wanted to upgrade my kpdf to the most recent version without upgrading world. So the output of emerge -1uDNavt kpdf looked like this:

[ebuild U ] kde-base/kpdf-3.5.10-r1 [3.5.9] USE="-debug (-arts%) (-kdeenablefinal%) (-xinerama%)" 6 kB [0]
[nomerge ] app-mobilephone/pysmssend-1.32 USE="qt4" [?]
[nomerge ] dev-python/PyQt4-4.4.4-r2 USE="X dbus opengl qt3support svg -debug -doc -examples -webkit" [0]
[ebuild U ] x11-libs/qt-qt3support-4.5.1 [4.4.2] USE="accessibility -custom-cxxflags% -debug -kde% -pch -phonon%" 111,980 kB [0]
[ebuild U ] x11-libs/qt-sql-4.5.1 [4.4.2-r1] USE="iconv qt3support sqlite -custom-cxxflags -debug -firebird -mysql -odbc -pch -postgres" 0 kB [0]
[nomerge ] kde-base/kpdf-3.5.10-r1 [3.5.9] USE="-debug (-arts%) (-kdeenablefinal%) (-xinerama%)" [0]
[ebuild N ] virtual/poppler-qt3-0.10.5 0 kB [0]
[nomerge ] dev-python/PyQt4-4.4.4-r2 USE="X dbus opengl qt3support svg -debug -doc -examples -webkit" [0]
[ebuild U ] x11-libs/qt-gui-4.5.1 [4.4.2-r3] USE="accessibility dbus glib gtkstyle%* qt3support -cups -custom-cxxflags -debug -mng -nas -nis -pch -raster% -tiff -xinerama" INPUT_DEVICES="(-wacom%)" 0 kB [0]
[ebuild U ] x11-libs/qt-script-4.5.1 [4.4.2] USE="iconv%* -custom-cxxflags% -debug -pch" 0 kB [0]
[ebuild U ] x11-libs/qt-dbus-4.5.1 [4.4.2] USE="-custom-cxxflags -debug -pch" 0 kB [0]
[nomerge ] dev-python/PyQt4-4.4.4-r2 USE="X dbus opengl qt3support svg -debug -doc -examples -webkit" [0]
[nomerge ] x11-libs/qt-svg-4.4.2 USE="-debug -pch" [0]
[blocks b ] >x11-libs/qt-script-4.4.2-r9999 (">x11-libs/qt-script-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks b ] >x11-libs/qt-dbus-4.4.2-r9999 (">x11-libs/qt-dbus-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[nomerge ] sys-boot/unetbootin-319 [0]
[nomerge ] x11-libs/qt-gui-4.5.1 [4.4.2-r3] USE="accessibility dbus glib gtkstyle%* qt3support -cups -custom-cxxflags -debug -mng -nas -nis -pch -raster% -tiff -xinerama" INPUT_DEVICES="(-wacom%)" [0]
[blocks b ] x11-libs/qt-qt3support-4.4.2-r9999 (">x11-libs/qt-qt3support-4.4.2-r9999" is blocking x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks b ] >x11-libs/qt-core-4.4.2-r9999 (">x11-libs/qt-core-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2)
[blocks b ] >x11-libs/qt-sql-4.4.2-r9999 (">x11-libs/qt-sql-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks b ] >x11-libs/qt-gui-4.4.2-r9999 (">x11-libs/qt-gui-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[ebuild U ] x11-libs/qt-test-4.5.1 [4.4.2] USE="iconv%* -custom-cxxflags% -debug -pch" 0 kB [0]
[ebuild U ] x11-libs/qt-core-4.5.1 [4.4.2-r2] USE="glib iconv qt3support ssl -custom-cxxflags -debug -doc -pch" 0 kB [0]
[nomerge ] kde-base/kpdf-3.5.10-r1 [3.5.9] USE="-debug (-arts%) (-kdeenablefinal%) (-xinerama%)" [0]
[ebuild U ] kde-base/kdeprint-3.5.10 [3.5.9] USE="kdehiddenvisibility -cups -debug -kde (-arts%) (-kdeenablefinal%) (-xinerama%)" 0 kB [0]
[nomerge ] app-text/epdfview-0.1.6-r1 USE="-cups -nls -test" [0]
[nomerge ] virtual/poppler-glib-0.10.5 USE="cairo" [0]
[nomerge ] app-text/poppler-bindings-0.10.5-r1 USE="cairo gtk qt3 qt4 -test" [0]
[nomerge ] app-text/poppler-0.10.5-r1 USE="-doc" [0]
[ebuild U ] media-libs/openjpeg-1.3-r2 [1.3] USE="-tools" 0 kB [0]
[nomerge ] kde-base/kdeprint-3.5.10 [3.5.9] USE="kdehiddenvisibility -cups -debug -kde (-arts%) (-kdeenablefinal%) (-xinerama%)" [0]
[ebuild U ] app-text/enscript-1.6.4-r4 [1.6.4-r3] USE="-nls -ruby" 1,013 kB [?=>0]
[nomerge ] app-pda/msynctool-0.21 [0]
[nomerge ] app-pda/libopensync-0.21 USE="-debug -doc -python" [0]
[ebuild U ] dev-db/sqlite-3.6.13 [3.6.11] USE="threadsafe -debug -doc -soundex -tcl" 0 kB [0]
[blocks B ] x11-libs/qt-test-4.4.2-r9999 (">x11-libs/qt-test-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] >x11-libs/qt-script-4.4.2-r9999 (">x11-libs/qt-script-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] >x11-libs/qt-dbus-4.4.2-r9999 (">x11-libs/qt-dbus-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] x11-libs/qt-qt3support-4.4.2-r9999 (">x11-libs/qt-qt3support-4.4.2-r9999" is blocking x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] x11-libs/qt-core-4.4.2-r9999 (">x11-libs/qt-core-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2)
[blocks B ] x11-libs/qt-sql-4.4.2-r9999 (">x11-libs/qt-sql-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] >x11-libs/qt-gui-4.4.2-r9999 (">x11-libs/qt-gui-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] =x11-libs/qt-svg-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
('ebuild', '/', 'x11-libs/qt-gui-4.5.1', 'merge') pulled in by
>=x11-libs/qt-gui-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
x11-libs/qt-gui required by ('installed', '/', 'media-video/vlc-0.9.8a', 'nomerge')
x11-libs/qt-gui required by ('installed', '/', 'sys-boot/unetbootin-319', 'nomerge')
(and 4 more)
('ebuild', '/', 'x11-libs/qt-test-4.5.1', 'merge') pulled in by
x11-libs/qt-test:4 required by ('installed', '/', 'app-text/poppler-bindings-0.10.5-r1', 'nomerge')
('ebuild', '/', 'x11-libs/qt-qt3support-4.5.1', 'merge') pulled in by
~x11-libs/qt-qt3support-4.5.1[-debug] required by ('ebuild', '/', 'x11-libs/qt-gui-4.5.1', 'merge')
>=x11-libs/qt-qt3support-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
('installed', '/', 'x11-libs/qt-opengl-4.4.2', 'nomerge') pulled in by
>=x11-libs/qt-opengl-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
('ebuild', '/', 'x11-libs/qt-dbus-4.5.1', 'merge') pulled in by
~x11-libs/qt-dbus-4.5.1[-debug] required by ('ebuild', '/', 'x11-libs/qt-gui-4.5.1', 'merge')
>=x11-libs/qt-dbus-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
('installed', '/', 'x11-libs/qt-core-4.4.2-r2', 'nomerge') pulled in by
~x11-libs/qt-core-4.4.2 required by ('installed', '/', 'x11-libs/qt-script-4.4.2', 'nomerge')
x11-libs/qt-core required by ('installed', '/', 'media-video/vlc-0.9.8a', 'nomerge')
x11-libs/qt-core:4[qt3support] required by ('installed', '/', 'app-admin/keepassx-0.4.0', 'nomerge')
(and 7 more)
('installed', '/', 'x11-libs/qt-dbus-4.4.2', 'nomerge') pulled in by
>=x11-libs/qt-dbus-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
~x11-libs/qt-dbus-4.4.2 required by ('installed', '/', 'x11-libs/qt-gui-4.4.2-r3', 'nomerge')
('installed', '/', 'x11-libs/qt-qt3support-4.4.2', 'nomerge') pulled in by
~x11-libs/qt-qt3support-4.4.2 required by ('installed', '/', 'x11-libs/qt-gui-4.4.2-r3', 'nomerge')
>=x11-libs/qt-qt3support-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
('installed', '/', 'x11-libs/qt-xmlpatterns-4.4.2', 'nomerge') pulled in by
x11-libs/qt-xmlpatterns:4 required by ('installed', '/', 'app-admin/keepassx-0.4.0', 'nomerge')
('installed', '/', 'x11-libs/qt-gui-4.4.2-r3', 'nomerge') pulled in by
>=x11-libs/qt-gui-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
x11-libs/qt-gui required by ('installed', '/', 'media-video/vlc-0.9.8a', 'nomerge')
x11-libs/qt-gui required by ('installed', '/', 'sys-boot/unetbootin-319', 'nomerge')
(and 6 more)
('ebuild', '/', 'x11-libs/qt-core-4.5.1', 'merge') pulled in by
~x11-libs/qt-core-4.5.1[qt3support,-debug] required by ('ebuild', '/', 'x11-libs/qt-sql-4.5.1', 'merge')
x11-libs/qt-core:4[qt3support] required by ('installed', '/', 'app-admin/keepassx-0.4.0', 'nomerge')
~x11-libs/qt-core-4.5.1[-debug] required by ('ebuild', '/', 'x11-libs/qt-script-4.5.1', 'merge')
(and 7 more)

The output is also at: http://dpaste.com/52703/
Unless you are a Gentoo Developer there is no easy way to understand the output.
So I joined #gentoo-el on Freenode to ask the greek gentoo developers (hwoarang, deathwing00, tampakrap, wired, yngwin), which happen to be on QT/KDE herds, to explain to me what’s wrong.
I was suggested to run an emerge -uDavt world to upgrade my whole system, but that’s not what I wanted and I asked for a solution that would not involve upgrading the whole system. The following is the output of emerge -uDNavt world:

http://pastebin.com/m8371430

Then they explained to me that there has been a change on QT eclass to provide protection to the system from having mixed QT versions. The problem is that the protection works by blocking the mix, but the output is at least “unfriendly”.

The solution, as alex said is to do: emerge -av1 `eix -I --only-names x11-libs/qt-`

Even though eix is a standard tool every gentoo user has probably installed, I don’t really like the solution because it depends on using another extra program, eix, and not pure portage techniques. Portage should be able, somehow, to handle these dependency problems and provide a custom error when such a problem occurs. The errors on “-9999” versions need vast improvement.

I hope Gentoo devs do something about improving portage even more 🙂

*EDIT*
After a small conversation with alex, I completely unmerged my x11-libs/qt-4.X package. As it seems it’s not needed at all any longer since all programs correctly reference the x11-libs/qt-NAME-4.X.

* Filed by kargig at 21:35 under Gentoo,Linux
Tags: , , , , , ,
* 1 Comment | 11,257 views