Roland Tepp wrote > Console (weather accessed over web or ssh) should be a trusted environment. > If a untrusted user gains access to you console you have much more serious > problems than access to some configuration options.
Well, sure - but don't forget that the web console allows to create a zip with all the configurations and your password ends up in plain text there as well. You definitely don't want to pass on passwords from production to your engineering or support team when they do trouble shooting. Of course you can post process the zip, but people will forget about it. And there are other similar ways where you definitely don't want to display the passwords in plain text, even in the web console. For example you trust the admin of your app to do configurations, checking bundles and such, but the database admin will not want that this person knows/sees the database password. It all depends on your environment etc. of course. But in general having an easy way to get a password in plain text scares most security people away. Carsten > On Sun, 24 Apr 2016 at 02:29, Carsten Ziegeler <[email protected]> wrote: > >> Peter Kriens wrote >>> You could adjust cm to recognize a macro and expand that macro to >> something local like a file, a system property, or an environment variable. >>> >>> That is how I solved it in the Configurer. Works very well on Travis >> that allows you to configure with encrypted data that is decrypted as >> environment variables. >>> >> >> This still has the problem that the decrypted data is visible to >> everyone (via web console etc.) >> >> >> Carsten >> -- >> Carsten Ziegeler >> Adobe Research Switzerland >> [email protected] >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> > -- Carsten Ziegeler Adobe Research Switzerland [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
