couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <>
Subject Re: Configuration Load Order
Date Mon, 15 Aug 2011 18:29:14 GMT

On Aug 15, 2011, at 7:36 PM, Noah Slater wrote:

> On 15 Aug 2011, at 18:32, Jan Lehnardt wrote:
>> 1. Write admin = password to local.ini
>> 2. Restart CouchDB
>> 3. Hash gets persisted to generated.ini
>> 4. Plain text password remains in local.ini
> Which one of these steps is the problem? 4? What would you have happen in place of that?
That the plain text password be removed? Could we not simply leave that up to the admin to
remove it from the config? What if it is needed again at some point? If I put my plain text
password in a config file that I had edited by hand on a server, I would not expect it to
be removed by the software. If I was concerned about saving the plain text password in the
first place, I would hope that the software in question would come with an interactive prompt
that would ask me for my password and write the hash out to the file for me.

I would expect that a plaintext admin password would never survive a server restart.

If you want to change the admin-addition procedure to a startup prompt thing, I'd be happy
to consider this, but currently we are stuck between a rock and a hard place because all the
documentation out there suggests adding an admin to local.ini will do the trick, yet distributions
that add config files to local.d/ will keep plaintext passwords around, contrary to what is
documented. I consider this a bad user experience as well as a security issue.

I was supporting that local.ini should come after local.d/*.ini, but dev@ overturned me here
and came up with generated.ini, which I'd be fine with, except, it doesn't solve the original


View raw message