On 15/09/10 12:44 +0200, Tobias Paepke wrote: > Am 15.09.10 12:32, schrieb Cédric Krier: > > On 15/09/10 12:29 +0200, Tobias Paepke wrote: > >> Am 15.09.10 12:24, schrieb Cédric Krier: > >>> Hi, > >>> > >>> One of biggest security issue in default trytond installation is the > >>> admin_password that is in clear text in trytond.conf. > >>> > >>> This is a legacy from OpenERP to allow newbie users to setup a database > >>> from > >>> the client easily. > >>> > >>> I propose to change the cleared hardcoded password with a validation of > >>> the > >>> password of the user running trytond. > >>> > >>> What do you think? > >>> > >> what about a hashed password in config? > > It is hard to create/update. > It is anyway on windows. For example you have to define the password for > the user which is running tryton-service in the service management. If > you change that password, it will stop working.
Why? > Maybe i'm missing something. > I know, tryton does not run on windows as a service yet... > >> I don't think that a system user should have a password at all. > > This will mean database creation is forbidden from rpc as for any production > > server. > > > don't understand. If there is no password set for the running user then it is not allowed to create/drop database from client. This behavior is the best for a production environment. -- Cédric Krier B2CK SPRL Rue de Rotterdam, 4 4000 Liège Belgium Tel: +32 472 54 46 59 Email/Jabber: [email protected] Website: http://www.b2ck.com/
pgpfhDcxSIdbJ.pgp
Description: PGP signature
