couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject Re: Configuration Load Order
Date Tue, 16 Aug 2011 09:33:52 GMT
On Mon, Aug 15, 2011 at 8:29 PM, Jan Lehnardt <jan@apache.org> wrote:
>
> On Aug 15, 2011, at 7:36 PM, Noah Slater wrote:
>
>>
>> On 15 Aug 2011, at 18:32, Jan Lehnardt wrote:
>>
>>> 1. Write admin = password to local.ini
>>> 2. Restart CouchDB
>>> 3. Hash gets persisted to generated.ini
>>> 4. Plain text password remains in local.ini
>>
>> Which one of these steps is the problem? 4? What would you have happen in place of
that? That the plain text password be removed? Could we not simply leave that up to the admin
to remove it from the config? What if it is needed again at some point? If I put my plain
text password in a config file that I had edited by hand on a server, I would not expect it
to be removed by the software. If I was concerned about saving the plain text password in
the first place, I would hope that the software in question would come with an interactive
prompt that would ask me for my password and write the hash out to the file for me.
>
> I would expect that a plaintext admin password would never survive a server restart.
>
> If you want to change the admin-addition procedure to a startup prompt thing, I'd be
happy to consider this, but currently we are stuck between a rock and a hard place because
all the documentation out there suggests adding an admin to local.ini will do the trick, yet
distributions that add config files to local.d/ will keep plaintext passwords around, contrary
to what is documented. I consider this a bad user experience as well as a security issue.
>
> I was supporting that local.ini should come after local.d/*.ini, but dev@ overturned
me here and came up with generated.ini, which I'd be fine with, except, it doesn't solve the
original problem.
>
> Cheers
> Jan
> --

Imo we shouldn't at all provide plaintext passwords. Maybe a safer
option would be to let the admin create the first one via http or put
the hash in the a password.ini file manually. If we are enough kind we
could also provide a couchctl script allowing user management, config
changes ... ?


- benoƮt

Mime
View raw message