Return-Path: X-Original-To: apmail-couchdb-dev-archive@www.apache.org Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F24CB77E4 for ; Wed, 17 Aug 2011 16:04:48 +0000 (UTC) Received: (qmail 27107 invoked by uid 500); 17 Aug 2011 16:04:48 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 27072 invoked by uid 500); 17 Aug 2011 16:04:47 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 27064 invoked by uid 99); 17 Aug 2011 16:04:47 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Aug 2011 16:04:47 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of bchesneau@gmail.com designates 209.85.215.172 as permitted sender) Received: from [209.85.215.172] (HELO mail-ey0-f172.google.com) (209.85.215.172) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Aug 2011 16:04:40 +0000 Received: by eye4 with SMTP id 4so927195eye.17 for ; Wed, 17 Aug 2011 09:04:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=6+x+L7C0f3jcNdk1YljhTZKQV8fheUz3NGyk2Y3XjP0=; b=bXD8JH0uQ1RCHE5nHb5ZHD0dVGrUIquxjWgp+D9yCVKRbLh4wWqADWisXxRQ6STa9/ 7iOYRZwDSLdJ8dDRVyzGdyWY2mBZEbl04son9aVTx6LWCM2wP2x+XXt679ty856Q+GLP 0NQu4QhkVzt8Cy3KWl6I/7SXly7ZBo7ROZa4k= MIME-Version: 1.0 Received: by 10.213.15.3 with SMTP id i3mr1045235eba.5.1313597060146; Wed, 17 Aug 2011 09:04:20 -0700 (PDT) Received: by 10.213.14.196 with HTTP; Wed, 17 Aug 2011 09:04:20 -0700 (PDT) In-Reply-To: References: <775360A4-E5B2-464C-AC78-3AF44B7B2F64@apache.org> <3E9869BA-22E7-4645-9FE8-4CE0F31A5C57@apache.org> <591473D8-47C4-486E-84F0-D837D577D0C3@apache.org> <915624D6-228D-48D9-81A0-956FA2B37361@apache.org> <89C1BF6C-93EA-45E8-AE66-6B8067A1B6F2@apache.org> <64A8B61A-E27D-4AD4-9D1A-81E64B6C4F2B@apache.org> <3D5914FE-27E9-4EED-9FAF-CB122AC2E248@apache.org> Date: Wed, 17 Aug 2011 18:04:20 +0200 Message-ID: Subject: Re: Configuration Load Order From: Benoit Chesneau To: "dev@couchdb.apache.org" Content-Type: multipart/alternative; boundary=0015174c1d9025e47e04aab5a6b7 X-Virus-Checked: Checked by ClamAV on apache.org --0015174c1d9025e47e04aab5a6b7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Wednesday, August 17, 2011, Jason Smith wrote: > On Wed, Aug 17, 2011 at 10:22 PM, Robert Newson wrote: >> Jason, >> >> The --set-password thing is to ensure there are no plaintext passwords >> in the first place, which eliminates the oddness of couch rewriting a >> plaintext pwd to a digested pwd (and putting the output in a different >> file). > > Thanks for the clarification. > > If you can read a plaintext password from an .ini file, then you can > hit the HTTP API as the admin and make changes to the couch. So that > is privilege escalation. > > To answer Benoit's question, it is simpler to tell admins to use the > HTTP API (or Futon) to create the admin account. The password is > stored *somewhere* under the hood. IMHO it is less simple to add a > command-line tool as a requirement (or worse, as an alternative > option) to deploy Couch. > > -- it all depends if you admin via a console. couchctl set-password username is a way easier than curl -XPUT http://blah/_users -D... -H... . at the end if you are a good admin you will write this script. providing useful helpere don't break the kiss way here. beno=EEt --0015174c1d9025e47e04aab5a6b7--