Hi all,
Brooklyn master now checks if ~/.brooklyn/brooklyn.properties (or
whatever you override it with on the launch command line) has
permissions like 600 (or 700 or 400). Brooklyn will fail to start
otherwise, giving a nice error to tell you why.
Note that we won't check these permissions on Windows currently. You'll
get a log.debug telling you that we couldn't check.
Aled
On 11/08/2014 12:11, Alasdair Hodge wrote:
Enthusiastic "yay!" for hashed, salted passwords :o)
Also +1 to enforcing tighter access control for the properties file at
runtime. Will require a Windows equivalent, of course, but checking
for *00 flags on posix systems is a great start. I expect we want
"strict" behaviour only in the launcher, and that unit tests, etc,
don't need to care?
As for the --stdin thing for generate-password, I must admit I'm
sympathetic to the "don't do that" argument in the links you posted.
If stream hacks are required only to test the generator then it's
probably no biggie, but making recommendations to end-users that go
against the grain of established unix security best practices gives me
pause.
A.
