Am 15.09.10 13:33, schrieb Cédric Krier: > On 15/09/10 12:44 +0200, Tobias Paepke wrote: >> Am 15.09.10 12:32, schrieb Cédric Krier: >>> On 15/09/10 12:29 +0200, Tobias Paepke wrote: >>>> Am 15.09.10 12:24, schrieb Cédric Krier: >>>>> Hi, >>>>> >>>>> One of biggest security issue in default trytond installation is the >>>>> admin_password that is in clear text in trytond.conf. >>>>> >>>>> This is a legacy from OpenERP to allow newbie users to setup a database >>>>> from >>>>> the client easily. >>>>> >>>>> I propose to change the cleared hardcoded password with a validation of >>>>> the >>>>> password of the user running trytond. >>>>> >>>>> What do you think? >>>>> >>>> what about a hashed password in config? >>> It is hard to create/update. >> It is anyway on windows. For example you have to define the password for >> the user which is running tryton-service in the service management. If >> you change that password, it will stop working. > Why? > cause you have to supply the username and password to the service. If you change that password you would run into trouble. >> Maybe i'm missing something. >> I know, tryton does not run on windows as a service yet... >>>> I don't think that a system user should have a password at all. >>> This will mean database creation is forbidden from rpc as for any production >>> server. >>> >> don't understand. > If there is no password set for the running user then it is not allowed to > create/drop database from client. > This behavior is the best for a production environment. > agree.
-- [email protected] mailing list
