From 271ce660228775a8a51903ef617447795fcf3465 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Wed, 3 Dec 2025 18:38:12 +0900 Subject: [PATCH] CHANGELOG.md: init --- CHANGELOG.md | 64 ++++++++++++++++++++++++++++ docs/mysql-admutils-compatibility.md | 22 +++++----- 2 files changed, 76 insertions(+), 10 deletions(-) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..e356710 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,64 @@ +# Changelog + +## v1.0.0 - Initial Release + +This is the initial release of `muscl`. + +### Features ported from [`mysql-admutils`](https://git.pvv.ntnu.no/Projects/mysql-admutils) + +- All commands +- Support for starting internal server with SUID/SGID +- Best-effort CLI interface backwards compatibility (see deviation notes for details) +- Best-effort stdout/stderr output backwards compatibility (see line above) +- Privilege editor + +### New features and changes from `mysql-admutils` + +- Changed programming language from `C` to `Rust`, for better or for worse +- Combined the functionality of both `mysql-dbadm` and `mysql-useradm` into a single executable. +- Switched to a server+client architecture. With this change comes: + - Added security against SUID/SGID-related vulnerabilities. + - Logging and debug information for system administrators. + - A limitation on the maximum number of connections to the database. + - A lot of sandboxing and hardening for the server-side, limiting the amount + of damage that can be done if compromised, and further increasing security. +- Added `--json` flag for several commands +- Added `check-auth` command, for testing whether you are allowed to manage certain databases or users +- Added `lock-user`/`unlock-user` which let's you temporarily disable a database user. +- Added dynamic shell completions, aware of which databases and users exist. +- Changed the name length limit from `32` characters to `64` characters. +- Added `-p`/`--privs` flag for editing privileges using only commandline flags. + The flag acts similarly to `chmod` with `+` and `-` variants for adding and removing privileges. + See `muscl edit-privs --help` for more information. +- Changed handling of database user passwords: + - Prompting for passwords will now hide what you write + - Allow providing passwords through files and stdin +- Respect `$VISUAL` in addition to `$EDITOR` when launching the privilege editor. +- Use a constant template for the privilege editor instead of providing random privileges on first use. +- Display the diff before committing privilege changes. +- Generally more detailed error reporting: + - On entering database or user names you do not own, suggest valid names + - Instead of silently trimming database/user names when too long, report as error + - When there are other name validation errors, report exactly what went wrong instead of a generic message + - Add new errors related to failures inbetween the client and the server +- Package and distribute software: + - Provide `.deb` packages + - Provide systemd units + - Provide nix-flake with packages, overlays and NixOS modules. + +### Known deviations from `mysql-admutils`' behaviour + +- `--help` output is formatted by clap in a different style. +- `mysql-dbadm edit-perm` uses the new privilege editor implementation. Replicating + the old behaviour + there shoulnd't have been any (or at least very few) scripts relying on the old + command API or behavior. +- The new tools use the new implementation to find it's configuration file, and uses the + new configuration format. See the example config and installation instructions for more + information about how to configure the software. +- The order in which input is validated (e.g. whether you own a user, whether the + contains illegal characters, whether the user does or does not exist) might be different + from the original program, leading to the same command reporting different errors. +- Arguments are de-duplicated, meaning that if you run something like + `mysql-dbadm create user_db1 user_db2 user_db1`, the program will only try to create + the `user_db1` once. The old program would attempt to create it twice, failing the second time. diff --git a/docs/mysql-admutils-compatibility.md b/docs/mysql-admutils-compatibility.md index 9ed7406..632c33f 100644 --- a/docs/mysql-admutils-compatibility.md +++ b/docs/mysql-admutils-compatibility.md @@ -10,17 +10,19 @@ cargo build These symlinks are also included in the deb packages. -### Known deviations from the original programs +### Known deviations from `mysql-admutils`' behaviour -- Added flags for database configuration, not present in the original programs -- `--help` output is formatted by clap in a modern style. -- `mysql-dbadm edit-perm` uses the new implementation. Parsing the old logic was - too complex to be worth porting, and since the action is inherently interactive, +- `--help` output is formatted by clap in a different style. +- `mysql-dbadm edit-perm` uses the new privilege editor implementation. Replicating + the old behaviour there shoulnd't have been any (or at least very few) scripts relying on the old command API or behavior. -- The new tools use the modern implementation to find it's configuration. If you compiled - the old programs with `--sysconfdir=`, you might have to provide `--config-file` - where the old program would just work by itself. -- The order in which some things are validated (e.g. whether you own a user, whether the +- The new tools use the new implementation to find it's configuration file, and uses the + new configuration format. See the example config and installation instructions for more + information about how to configure the software. +- The order in which input is validated (e.g. whether you own a user, whether the contains illegal characters, whether the user does or does not exist) might be different - from the original program, leading to the same command giving the errors in a different order. + from the original program, leading to the same command reporting different errors. +- Arguments are de-duplicated, meaning that if you run something like + `mysql-dbadm create user_db1 user_db2 user_db1`, the program will only try to create + the `user_db1` once. The old program would attempt to create it twice, failing the second time.