On Fri, Oct 21, 2011 at 11:28 AM, Henrik Ingo <[email protected]> wrote: >> For localhost, we should support peercred auth via unix domain >> sockets. I was supposed to implement that during GSoC, but that was >> the only part I didn't manage to do. > > But is this something that will just work by default? Do you have good links?
It's Linux-only (AFAIK), but it's available by default. See http://linux.die.net/man/7/socket AFAIK it tells you the user ID of your peer. >> So where does that plaintext password come from? Typically it's stored >> in a conf file (of the client app). > > I'm thinking more of the use case where you use the drizzle client app > and type in the password. > Either way, in all use cases I know of the password is input to the > client in plain text format anyway. How to store that securely in an > app is a different problem - all the ones I've seen just store it in > plaintext in a file, including well known PHP apps like Drupal. True. That's bad, but it's not a system account password. So if it's compromised, the damage is (probably) much less. >> SSL isn't completely secure, especially due to the situation with certs. > > And you are suggesting instead? I'm no crypto expert. So I'd use an existing auth mechnism design. Probably something based on challenge, response, hashing. Let's take a step back. What problem are we trying to solve? For a simple developer setup, listening on localhost only and not using passwords doesn't sound so bad to me. Olaf _______________________________________________ Mailing list: https://launchpad.net/~drizzle-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~drizzle-discuss More help : https://help.launchpad.net/ListHelp
