On 15/09/10 12:29 +0200, Tobias Paepke wrote: > Am 15.09.10 12:24, schrieb Cédric Krier: > > Hi, > > > > One of biggest security issue in default trytond installation is the > > admin_password that is in clear text in trytond.conf. > > > > This is a legacy from OpenERP to allow newbie users to setup a database from > > the client easily. > > > > I propose to change the cleared hardcoded password with a validation of the > > password of the user running trytond. > > > > What do you think? > > > what about a hashed password in config?
It is hard to create/update. > I don't think that a system user should have a password at all. This will mean database creation is forbidden from rpc as for any production server. -- Cédric Krier B2CK SPRL Rue de Rotterdam, 4 4000 Liège Belgium Tel: +32 472 54 46 59 Email/Jabber: [email protected] Website: http://www.b2ck.com/
pgpuJoUOjkieS.pgp
Description: PGP signature
