On Aug 15, 2011, at 7:36 PM, Noah Slater wrote: > > On 15 Aug 2011, at 18:32, Jan Lehnardt wrote: > >> 1. Write admin = password to local.ini >> 2. Restart CouchDB >> 3. Hash gets persisted to generated.ini >> 4. Plain text password remains in local.ini > > Which one of these steps is the problem? 4? What would you have happen in > place of that? That the plain text password be removed? Could we not simply > leave that up to the admin to remove it from the config? What if it is needed > again at some point? If I put my plain text password in a config file that I > had edited by hand on a server, I would not expect it to be removed by the > software. If I was concerned about saving the plain text password in the > first place, I would hope that the software in question would come with an > interactive prompt that would ask me for my password and write the hash out > to the file for me.
I would expect that a plaintext admin password would never survive a server restart. If you want to change the admin-addition procedure to a startup prompt thing, I'd be happy to consider this, but currently we are stuck between a rock and a hard place because all the documentation out there suggests adding an admin to local.ini will do the trick, yet distributions that add config files to local.d/ will keep plaintext passwords around, contrary to what is documented. I consider this a bad user experience as well as a security issue. I was supporting that local.ini should come after local.d/*.ini, but dev@ overturned me here and came up with generated.ini, which I'd be fine with, except, it doesn't solve the original problem. Cheers Jan --
