Major redesign of the MySQL backend interface to fix a security issue.

See: #318. As of now, the MySQL configuration used everywhere by AlternC is not stored in the main configuration file (/etc/alternc/local.sh) but in a MySQL configuration file in /etc/alternc/my.cnf, which enables us to call mysql without exposing the password on the commandline. The changes here are quite invasive but will allow us to factor out the MySQL configuration better. See #364. This includes a partial rewrite of the mysql.sh logic, which is now ran from the postinst script (and not alternc.install) which will allow us to actually change the MySQL root user properly. See #601. This commit was tested like this: * clean install on etch (working) * upgrade from a clean 0.9.7 (working)
2008-04-13 04:35:19 +00:00 · 2008-04-13 04:35:19 +00:00 · d5a4c72e4a
parent 7e3fcdf646
commit d5a4c72e4a
16 changed files with 211 additions and 92 deletions
--- a/bureau/class/local.php
+++ b/bureau/class/local.php
@ -13,7 +13,7 @@ $compat = array('DEFAULT_MX'   => 'MX',

 $config_file = fopen('/etc/alternc/local.sh', 'r');
 while (FALSE !== ($line = fgets($config_file))) {
-    if (ereg('^([A-Z0-9_]*)="([^"]*)"', $line, $regs)) {
+    if (preg_match('/^([A-Za-z0-9_]*) *= *"?(.*?)"?$/', trim($line), $regs)) {
        $GLOBALS['L_'.$regs[1]] = $regs[2];
        if (isset($compat[$regs[1]])) {
            $GLOBALS['L_'.$compat[$regs[1]]] = $regs[2];
@ -22,3 +22,25 @@ while (FALSE !== ($line = fgets($config_file))) {
 }

 fclose($config_file);
+
+$config_file = fopen('/etc/alternc/my.cnf', 'r');
+while (FALSE !== ($line = fgets($config_file))) {
+    if (preg_match('/^([A-Za-z0-9_]*) *= *"?(.*?)"?$/', trim($line), $regs)) {
+        switch ($regs[1]) {
+        case "user":
+            $GLOBALS['L_MYSQL_LOGIN'] = $regs[2];
+            break;
+        case "password":
+            $GLOBALS['L_MYSQL_PWD'] = $regs[2];
+            break;
+        case "host":
+            $GLOBALS['L_MYSQL_HOST'] = $regs[2];
+            break;
+        case "database":
+            $GLOBALS['L_MYSQL_DATABASE'] = $regs[2];
+            break;
+        }
+    }
+}
+
+fclose($config_file);
--- a/debian/changelog
+++ b/debian/changelog
@ -1,5 +1,10 @@
 alternc (0.9.7+dev) stable; urgency=low UNRELEASED

+  * move mysql configuration into a valid MySQL configuration file
+    (/etc/alternc/my.cnf). This fixes a serious security issue (#318)
+    where the MySQL root password was passed on the commandline.  Those
+    changes are pretty invasive and might break upgrades, cron jobs and
+    your cat...
  * standardisation of the web interface, along with some esthetic changes, by
    Marc Angles, sponsored by Koumbit
  * styles can now be changed locally in admin/styles/base.css
--- a/debian/config
+++ b/debian/config
@ -38,6 +38,16 @@ if [ -r /etc/alternc/local.sh ]; then
    # source the current config
    . /etc/alternc/local.sh
 fi
+if [ -r /etc/alternc/my.cnf ]; then
+    # make mysql configuration available as shell variables
+    # to convert from .cnf to shell syntax, we:
+    # * match only lines with "equal" in them (/=/)
+    # * remove whitespace around the = and add a left quote operator ' (;s)
+    # * add a right quote operator at the end of line (;s)
+    # * convert mysql variables into our MYSQL_ naming convention (;s)
+    # * print the result (;p)
+    eval `sed -n -e "/=/{s/ *= */='/;s/\$/'/;s/host/MYSQL_HOST/;s/user/MYSQL_LOGIN/;s/password/MYSQL_PASS/;s/database/MYSQL_DATABASE/;p}" /etc/alternc/my.cnf`
+fi

 # mettre les valeurs de local.sh comme "default" pour debconf
 db_get alternc/hostingname
--- a/debian/postinst
+++ b/debian/postinst
@ -83,11 +83,8 @@ BIND_INTERNAL=""
 # Mail server hostname
 DEFAULT_MX=""

-# MySQL configuration
-MYSQL_HOST=""
-MYSQL_DATABASE=""
-MYSQL_USER=""
-MYSQL_PASS=""
+# Note: MySQL username/password configuration now stored in /etc/alternc/my.cnf
+
 # quels clients mysql sont permis (%, localhost, etc)
 MYSQL_CLIENT=""

@ -119,16 +116,29 @@ EOF
    update_var alternc/ns2 NS2_HOSTNAME
    update_var alternc/bind_internal BIND_INTERNAL
    update_var alternc/default_mx DEFAULT_MX 
-    update_var alternc/mysql/host MYSQL_HOST 
-    update_var alternc/mysql/db MYSQL_DATABASE 
-    update_var alternc/mysql/user MYSQL_USER 
-    update_var alternc/mysql/password MYSQL_PASS 
    update_var alternc/mysql/client MYSQL_CLIENT 
    update_var alternc/alternc_location ALTERNC_LOC
    update_var alternc/mynetwork SMTP_RELAY_NETWORKS
    sed -e "$SED_SCRIPT" < $CONFIGFILE > $CONFIGFILE.tmp
    mv -f $CONFIGFILE.tmp $CONFIGFILE

+    # Setup grants
+    db_get "alternc/mysql/host"
+    MYSQL_HOST="$RET"
+    if [ "$MYSQL_HOST" != "localhost" -o -e /usr/sbin/mysqld ]; then
+        # compatibility shims with my.cnf
+        host="$RET"
+        db_get "alternc/mysql/db"
+        database="$RET"
+        db_get "alternc/mysql/user"
+        user="$RET"
+        db_get "alternc/mysql/password"
+        password="$RET"
+        
+        # we source (instead of forking) mysql.sh so that it gets the local environment above
+        . /usr/share/alternc/install/mysql.sh
+    fi
+
    # forget the password
    db_reset alternc/mysql/password || true
    db_fset alternc/mysql/password "seen" "false" || true
--- a/debian/postrm
+++ b/debian/postrm
@ -15,7 +15,7 @@ set -e

 case "$1" in
  purge)
-    rm -f /etc/alternc/local.sh /etc/alternc/bureau.conf
+    rm -f /etc/alternc/local.sh /etc/alternc/my.cnf /etc/alternc/bureau.conf
    rm -f /var/backups/alternc/etc-installed.tar.gz

    # Purge database?
--- a/install/alternc.install
+++ b/install/alternc.install
@ -5,6 +5,9 @@
 # on a new server. THIS SCRIPT ERASE ALL DATA ON THE AlternC SYSTEM !!
 # YOU HAVE BEEN WARNED !

+# This script now assumes it has MySQL connectivity through
+# /etc/alternc/my.cnf
+
 set -e 

 . /usr/lib/alternc/functions.sh
@ -78,6 +81,18 @@ fi

 . /etc/alternc/local.sh

+# XXX: copy-paste from debian/config
+if [ -r /etc/alternc/my.cnf ]; then
+    # make mysql configuration available as shell variables
+    # to convert from .cnf to shell syntax, we:
+    # * match only lines with "equal" in them (/=/)
+    # * remove whitespace around the = and add a left quote operator ' (;s)
+    # * add a right quote operator at the end of line (;s)
+    # * convert mysql variables into our MYSQL_ naming convention (;s)
+    # * print the result (;p)
+    eval `sed -n -e "/=/{s/ *= */='/;s/\$/'/;s/host/MYSQL_HOST/;s/user/MYSQL_LOGIN/;s/password/MYSQL_PASS/;s/database/MYSQL_DATABASE/;p}" /etc/alternc/my.cnf`
+fi
+
 WARNING="WARNING: Do not edit this file, edit the one in /etc/alternc/templates and launch alternc.install again."

 VERSION="`dpkg -s alternc | sed -n -e 's/^Version: \(.*\)/\1/p'`"
@ -101,7 +116,10 @@ if [ -z "$MONITOR_IP" ]; then
    MONITOR_IP="127.0.0.1"
 fi

-SED_SCRIPT="
+# XXX: I assume this is secure if /tmp is sticky (+t)
+# we should have a better way to deal with templating, of course.
+SED_SCRIPT=`mktemp`
+cat > $SED_SCRIPT <<EOF
 s\\%%hosting%%\\$HOSTING\\;
 s\\%%fqdn%%\\$FQDN\\;
 s\\%%public_ip%%\\$PUBLIC_IP\\;
@ -121,7 +139,7 @@ s\\%%warning_message%%\\$WARNING\\;
 s\\%%fqdn_lettre%%\\$FQDN_LETTER\\;
 s\\%%version%%\\$VERSION\\;
 s\\%%ns2_ip%%\\$NS2_IP\\;
-"
+EOF

 #######################################################################
 # Backup configuration files
@ -145,23 +163,16 @@ tar -zcf "$BACKUP_FILE" -C / $BACKUPS 2>/dev/null || true
 for file in $CONFIG_FILES; do
    TEMPLATE="$TEMPLATE_DIR/${file##etc/}"
    if [ -f "$TEMPLATE" ]; then
-        sed -e "$SED_SCRIPT" < $TEMPLATE > /$file
+        sed -f "$SED_SCRIPT" < $TEMPLATE > /$file
    fi
 done
+rm -f $SED_SCRIPT

 #######################################################################
 # Save installed files to check them during next install
 #
 tar -zcf "$INSTALLED_CONFIG_TAR" -C / $CONFIG_FILES

-######################################################################
-# Initialize database
-#
-if [ "$MYSQL_HOST" != "localhost" -o -e /usr/sbin/mysqld ]; then
-    echo "Setup MySQL and database..."
-    /usr/share/alternc/install/mysql.sh "$MYSQL_HOST" "$MYSQL_USER" "$MYSQL_PASS" "$MYSQL_DATABASE"
-fi
-
 ######################################################################## 
 # Ad-hoc fixes
 #
@ -263,7 +274,7 @@ done
 /usr/lib/alternc/basedir_prot.sh

 # Creating admin user if needed
-HAS_ROOT="`mysql -h"$MYSQL_HOST" -u"$MYSQL_USER" -p"$MYSQL_PASS" "$MYSQL_DATABASE" -e "SELECT COUNT(*) FROM membres WHERE login = 'admin' OR login = 'root' and su = 1" | tail -1`"
+HAS_ROOT=`mysql --defaults-file=/etc/alternc/my.cnf -e "SELECT COUNT(*) FROM membres WHERE login = 'admin' OR login = 'root' and su = 1" | tail -1`
 if [ "$HAS_ROOT" != "1" ]; then
    echo "Creating admin user..."
    echo ""
--- a/install/mysql.sh
+++ b/install/mysql.sh
@ -1,4 +1,4 @@
-#!/bin/sh 
+#!/bin/sh
 #
 # $Id: mysql.sh,v 1.11 2006/01/11 22:51:28 anarcat Exp $
 # ----------------------------------------------------------------------
@ -28,50 +28,125 @@
 # USAGE : "mysql.sh loginroot passroot systemdb"
 # ----------------------------------------------------------------------
 #
-
-sqlserver="$1"
-rootlogin="$2"
-rootpass="$3"
-systemdb="$4"
-
-if [ -z "$rootlogin" -o -z "$rootpass" -o -z "$systemdb" ]
-then
-    echo "Usage: mysql.sh <mysqlserver> <rootlogin> <rootpass> <systemdb>"
-    exit 1
-fi
-
-mysql="/usr/bin/mysql --defaults-file=/etc/mysql/debian.cnf -h$sqlserver "
+ 
+# This script expects the following environment to exist:
+# * host
+# * user
+# * password
+# * database
+# 
+# XXX: the sed script should be generated here
+#
+# So this file should generally be sourced like this:
+# . /usr/share/alternc/install/mysql.sh
+#
+# Those values are used to set the username/passwords...

 # The grant all is the most important right needed in this script.
+echo "Granting users..."
+# cat <<EOF
+# host: $host
+# user: $user
+# password: $password
+# database: $database
+# EOF
+
+MYSQL_CONFIG="/etc/alternc/my.cnf"
+
+. /etc/alternc/local.sh
+# the purpose of this "grant" is to make sure that the generated my.cnf works
+# this means (a) creating the user and (b) creating the database
+grant="GRANT ALL ON *.* TO '$user'@'${MYSQL_CLIENT}' IDENTIFIED BY '$password' WITH GRANT OPTION;
+CREATE DATABASE IF NOT EXISTS $database;"
+
+echo -n "Trying debian.cnf: "
+mysql="/usr/bin/mysql --defaults-file=/etc/mysql/debian.cnf"
 # If this call fail, we may be connected to a mysql-server version 5.0.
-echo "Granting users "
-# In that case, change mysql parameters and retry. Use root / nopassword.
-$mysql -e "GRANT ALL ON *.* TO '$rootlogin'@'${MYSQL_CLIENT}' IDENTIFIED BY '$rootpass' WITH GRANT OPTION"
-if [ "$?" -ne "0" ]
+# In that case, change mysql parameters and retry. Use root / nopassword.
+if ! $mysql <<EOF
+$grant
+EOF
 then
-    echo "debian-sys-maintainer doesn't have the right credentials, assuming we're doing an upgrade"
-    mysql="/usr/bin/mysql -h$sqlserver -u$rootlogin -p$rootpass" 
-    $mysql -e "GRANT ALL ON *.* TO '$rootlogin'@'${MYSQL_CLIENT}' IDENTIFIED BY '$rootpass' WITH GRANT OPTION"
-    if [ "$?" -ne "0" ] 
-	then 
-        echo "Still not working, assuming clean install and empty root password"
-        mysql="/usr/bin/mysql -h$sqlserver -uroot "
-        $mysql -e "GRANT ALL ON *.* TO '$rootlogin'@'${MYSQL_CLIENT}' IDENTIFIED BY '$rootpass' WITH GRANT OPTION"
-        if [ "$?" -ne "0" ] 
+    echo "failed: debian-sys-maintainer doesn't have the right credentials"
+    echo -n "are we doing an upgrade? "
+    mysql="/usr/bin/mysql --defaults-file=$MYSQL_CONFIG"
+    if ! $mysql <<EOF
+$grant
+EOF
+    then 
+        echo "No"
+        echo -n "Assuming clean install (empty root password)... "
+        mysql="/usr/bin/mysql -h$host -uroot "
+        if ! $mysql <<EOF
+$grant
+EOF
        then 
-	    echo "Can't grant system user $rootlogin, aborting"; 
-	    exit 1 
+            echo "Failed"
+            echo -n "Assuming pre 0.9.8 version... "
+            mysql="/usr/bin/mysql -h$MYSQL_HOST -u$MYSQL_USER -p$MYSQL_PASS"
+            if ! $mysql <<EOF
+$grant
+EOF
+            then
+                echo "No."
+                echo "Can't grant system user $user, aborting"; 
+	        exit 1 
+            fi
 	fi
    fi
 fi
+echo "ok!"

-# Now we can use rootlogin and rootpass. 
-mysql="/usr/bin/mysql -h$sqlserver -u$rootlogin -p$rootpass" 
+if [ -f $MYSQL_CONFIG ]; then
+    echo "Updating mysql configuration in $MYSQL_CONFIG"
+else
+    echo "Creating mysql configuration in $MYSQL_CONFIG"
+    cat > $MYSQL_CONFIG <<EOF
+# AlternC - Web Hosting System - MySQL Configuration
+# Automatically generated by AlternC configuration, do not edit
+# This file will be modified on package configuration
+# (e.g. upgrade or dpkg-reconfigure alternc)
+[client]
+EOF
+    chown root:www-data $MYSQL_CONFIG
+    chmod 640 $MYSQL_CONFIG
+fi

-echo "Setting AlternC '$systemdb' system table and privileges "
-$mysql -e "CREATE DATABASE IF NOT EXISTS $systemdb;" 
+# create a sed script to create/update the file
+function set_value() {
+    var=$1
+    RET=$2
+    grep -Eq "^ *$var=" $MYSQL_CONFIG || echo "$var=" >> $MYSQL_CONFIG
+    SED_SCRIPT="$SED_SCRIPT;s\\^ *$var=.*\\$var=\"$RET\"\\"
+}

-echo "Installing AlternC schema "
-$mysql $systemdb < /usr/share/alternc/install/mysql.sql
+SED_SCRIPT=""
+# hostname was empty in older (pre-0.9.6?) versions
+if [ -z "$host" ]; then
+    host="localhost"
+fi
+set_value host $host
+set_value database $database
+set_value user $user
+set_value password $password
+
+# take extra precautions here with the mysql password:
+# put the sed script in a temporary file
+SED_SCRIPT_NAME=`mktemp`
+cat > $SED_SCRIPT_NAME <<EOF
+$SED_SCRIPT
+EOF
+sed -f "$SED_SCRIPT_NAME" < $MYSQL_CONFIG > $MYSQL_CONFIG.$$
+mv -f $MYSQL_CONFIG.$$ $MYSQL_CONFIG
+rm -f $SED_SCRIPT_NAME
+
+# Now we should be able to use the mysql configuration
+mysql="/usr/bin/mysql --defaults-file=$MYSQL_CONFIG"
+
+echo "Checking for MySQL connectivity"
+$mysql -e "SHOW TABLES" >/dev/null && echo "MYSQL.SH OK!" || echo "MYSQL.SH FAILED!"
+
+# Final mysql setup: db schema
+echo "installing AlternC schema in $database..."
+$mysql < /usr/share/alternc/install/mysql.sql || echo cannot load database schema

-/usr/bin/mysql -h$sqlserver -u$rootlogin -p$rootpass $systemdb -e "SHOW TABLES" >/dev/null && echo "MYSQL.SH OK!" || echo "MYSQL.SH FAILED!"
--- a/install/upgrade_check.sh
+++ b/install/upgrade_check.sh
@ -45,7 +45,7 @@ do
                  # run the proper program to interpret the upgrade script
 		  case "$ext" in
 		  sql)
-			mysql -f -h $MYSQL_HOST -u $MYSQL_USER -p$MYSQL_PASS $MYSQL_DATABASE \
+			mysql -f --defaults-file=/etc/alternc/my.cnf \
 			< $file || true
 			;;
 		  php)
--- a/src/basedir_prot.sh
+++ b/src/basedir_prot.sh
@ -18,11 +18,6 @@ extra_paths="/var/alternc/dns/redir:/usr/share/php/:/var/alternc/tmp/:/tmp/"
 . /etc/alternc/local.sh
 . /usr/lib/alternc/functions.sh

-if [ -z "$MYSQL_HOST" ]
-then
-    MYSQL_HOST="localhost"
-fi
-
 echo -n "adding open_base_dir protection for:"
 # boucle sur tous les domaines hébergés, ou sur les arguments de la
 # ligne de commande
--- a/src/fixperms.sh
+++ b/src/fixperms.sh
@ -63,5 +63,5 @@ function doone {
    done
 }

-mysql -h"$MYSQL_HOST" -p"$MYSQL_PASS" -u"$MYSQL_USER" "$MYSQL_DATABASE" -B -e "select uid,login from membres" |grep -v ^uid|doone
+mysql --defaults-file=/etc/alternc/my.cnf -B -e "select uid,login from membres" |grep -v ^uid|doone

--- a/src/functions.sh
+++ b/src/functions.sh
@ -309,7 +309,7 @@ get_account_by_domain() {
 	else
 		# implantons localement ce que nous avons besoin, puisque admintools
 		# n'est pas là
-  		mysql -h$MYSQL_HOST -u$MYSQL_USER -p$MYSQL_PASS -D$MYSQL_DATABASE -B -N -e \
+  		mysql --defaults-file=/etc/alternc/my.cnf -B -N -e \
  		'SELECT a.login FROM membres a, sub_domaines b WHERE a.uid = b.compte AND \
  		CONCAT(IF(sub="", "", CONCAT(sub, ".")), domaine) = "'"$1"'" LIMIT 1;'
 	fi
--- a/src/sqlbackup.sh
+++ b/src/sqlbackup.sh
@ -29,9 +29,6 @@

 set -e

-# Get mysql user and password : 
-. /etc/alternc/local.sh
-
 function dobck {
    local ext
    local i
@ -63,10 +60,10 @@ function dobck {
        mv -f "${target_dir}/${db}.sql${ext}" \
              "${target_dir}/${db}.sql.${i}${ext}" 2>/dev/null || true 
        if [ "$compressed" -eq 1 ]; then
-            mysqldump -h"$MYSQL_HOST" -u"$login" -p"$pass" "$db"  --add-drop-table --allow-keywords -Q -f -q -a -e |
+            mysqldump --defaults-file=/etc/alternc/my.cnf --add-drop-table --allow-keywords -Q -f -q -a -e |
                gzip -c > "${target_dir}/${db}.sql${ext}"
        else
-            mysqldump -h"$MYSQL_HOST" -u"$login" -p"$pass" "$db"  --add-drop-table --allow-keywords -Q -f -q -a -e \
+            mysqldump --defaults-file=/etc/alternc/my.cnf --add-drop-table --allow-keywords -Q -f -q -a -e \
                > "${target_dir}/${db}.sql"
        fi

@ -83,8 +80,7 @@ else
    mode=1
 fi

-/usr/bin/mysql -h"$MYSQL_HOST" -u"$MYSQL_USER" -p"$MYSQL_PASS" \
-    "$MYSQL_DATABASE" -B << EOF | tail -n '+2' | dobck
+/usr/bin/mysql --defaults-file=/etc/alternc/my.cnf -B << EOF | tail -n '+2' | dobck
 SELECT login, pass, db, bck_history, bck_gzip, bck_dir
  FROM db
 WHERE bck_mode=$mode;
--- a/src/update_domains.sh
+++ b/src/update_domains.sh
@ -74,8 +74,7 @@ fi

 . "$CONFIG_FILE"

-if [ -z "$MYSQL_HOST" -o -z "$MYSQL_DATABASE" -o -z "$MYSQL_USER" -o \
-     -z "$MYSQL_PASS" -o -z "$DEFAULT_MX" -o -z "$PUBLIC_IP" ]; then
+if [ -z "$DEFAULT_MX" -o -z "$PUBLIC_IP" ]; then
    echo "Bad configuration. Please use:"
    echo "   dpkg-reconfigure alternc"
    exit 1
@ -96,10 +95,8 @@ LOCK_FILE="$DATA_ROOT/bureau/cron.lock"
 HTTP_DNS="$DATA_ROOT/dns"
 HTML_HOME="$DATA_ROOT/html"

-MYSQL_SELECT="mysql -h${MYSQL_HOST} -u${MYSQL_USER}
-                    -p${MYSQL_PASS} -Bs ${MYSQL_DATABASE}"
-MYSQL_DELETE="mysql -h${MYSQL_HOST} -u${MYSQL_USER}
-                    -p${MYSQL_PASS} ${MYSQL_DATABASE}"
+MYSQL_SELECT="mysql --defaults-file=/etc/alternc/my.cnf -Bs "
+MYSQL_DELETE="mysql --defaults-file=/etc/alternc/my.cnf "

 ########################################################################
 # Functions
--- a/tools/get_account_by_domain
+++ b/tools/get_account_by_domain
@ -75,12 +75,11 @@ MYSQL_UNREACHABLE_DATABASE=`$printf "$($gettext "Cannot access accounts database
 [ "$1" = "-h" ] || [ "$1" = "--help" ] && { echo $HELP ; echo $USAGE ; exit 0 ; }
 # Have to get AlternC conf file :
 ! [ -f "$ALTERNC_CONF_FILE" ] && { echo $MISSING_CONF_FILE ; exit 1 ; } || . $ALTERNC_CONF_FILE
-# Must have access to mysql to retreive accounts owning domains :
-[ -z "$MYSQL_HOST" ] && MYSQL_HOST=localhost
-$mysql -h$MYSQL_HOST -u$MYSQL_USER -p$MYSQL_PASS -D$MYSQL_DATABASE -e "select count(*) from domaines_standby;" > /dev/null 2>&1
-[ "$?" != 0 ] && { echo "$MYSQL_UNREACHABLE_DATABASE" ; exit 1 ; } || mysql="$mysql -h$MYSQL_HOST -u$MYSQL_USER -p$MYSQL_PASS -D$MYSQL_DATABASE -B -N -e "
+mysql="$mysql --defaults-file=/etc/alternc/my.cnf"
+$mysql -e "select count(*) from domaines_standby;" > /dev/null 2>&1
+[ "$?" != 0 ] && { echo "$MYSQL_UNREACHABLE_DATABASE" ; exit 1 ; }

 # Does the stuff
-$mysql "select concat(a.login, \" (\", a.mail, \")\") from membres a, sub_domaines b where a.uid = b.compte and concat(if(sub=\"\", \"\", concat(sub, \".\")), domaine)  = \"${1}\";"
+$mysql -B -N -e "select concat(a.login, \" (\", a.mail, \")\") from membres a, sub_domaines b where a.uid = b.compte and concat(if(sub=\"\", \"\", concat(sub, \".\")), domaine)  = \"${1}\";"


--- a/tools/get_domains_by_account
+++ b/tools/get_domains_by_account
@ -74,9 +74,9 @@ MYSQL_UNREACHABLE_DATABASE=`$printf "$($gettext "Cannot access accounts database
 # Have to get AlternC conf file :
 ! [ -f "$ALTERNC_CONF_FILE" ] && { echo $MISSING_CONF_FILE ; exit 1 ; } || . $ALTERNC_CONF_FILE
 # Must have access to mysql to retreive accounts owning domains :
-[ -z "$MYSQL_HOST" ] && MYSQL_HOST=localhost
-$mysql -h$MYSQL_HOST -u$MYSQL_USER -p$MYSQL_PASS -D$MYSQL_DATABASE -e "select count(*) from domaines_standby;" > /dev/null 2>&1
-[ "$?" != 0 ] && { echo "$MYSQL_UNREACHABLE_DATABASE" ; exit 1 ; } || mysql="$mysql -h$MYSQL_HOST -u$MYSQL_USER -p$MYSQL_PASS -D$MYSQL_DATABASE -B -N -e "
+mysql="$mysql --defaults-file=/etc/alternc/my.cnf -B -N -e"
+$mysql "select count(*) from domaines_standby;" > /dev/null 2>&1
+[ "$?" != 0 ] && { echo "$MYSQL_UNREACHABLE_DATABASE" ; exit 1 ; }

 # Does the stuff
 $mysql "select concat(a.sub, if(a.sub=\"\",\"\", \".\"), a.domaine) from sub_domaines a, membres b where a.compte = b.uid and b.login = \"${1}\";"
--- a/tools/top_http_users
+++ b/tools/top_http_users
@ -168,10 +168,9 @@ LOG_FILE=$LOG_DIR/access.log
 # Have to get AlternC conf file :
 [ -f "$ALTERNC_CONF_FILE" ] || { echo $MISSING_CONF_FILE ; exit 1 ; } && . $ALTERNC_CONF_FILE
 # Must have access to mysql to retreive accounts owning domains :
-[ -z "$MYSQL_HOST" ] && MYSQL_HOST=localhost
-$mysql -h$MYSQL_HOST -u$MYSQL_USER -p$MYSQL_PASS -D$MYSQL_DATABASE -e "select count(*) from domaines_standby;" > /dev/null 2>&1
-[ "$?" != 0 ] && { echo "$MYSQL_UNREACHABLE_DATABASE" ; exit 1 ; } || mysql="$mysql -h$MYSQL_HOST -u$MYSQL_USER -p$MYSQL_PASS -D$MYSQL_DATABASE -B -N -e "
-
+mysql="$mysql --defaults-file=/etc/alternc/my.cnf -B -N -e"
+$mysql "select count(*) from domaines_standby;" > /dev/null 2>&1
+[ "$?" != 0 ] && { echo "$MYSQL_UNREACHABLE_DATABASE" ; exit 1 ; }
 # Prevents executing more than one shell at the same time
 $lockfilecreate --retry 1 $LOCK_FILE
 if [ $? != 0 ]