----- Original Message ----- > From: "Josh Bressers" <[email protected]> > To: "Alon Bar-Lev" <[email protected]> > Cc: "Eli Mesika" <[email protected]>, "Juan Hernandez" > <[email protected]>, "engine-devel" > <[email protected]>, "pmatouse" <[email protected]> > Sent: Wednesday, May 1, 2013 9:13:24 PM > Subject: Re: [Engine-devel] Dropping encryption of database password > > > > > > > > > > > > > > In another words you are for storing password as plain text.... :) > > > > > > > > If the file is protected , I don't mind that the password is in plain > > > > text... > > > > > > > > > > Hi all, > > > > Hello, > > > > > Itamar pointed me at this thread. I'm part of the Red Hat Product > > > Security > > > Team, we exist to help various projects and products with security needs > > > (such as advice in this instance). > > > > > > I can't really comment on this without understanding some of the > > > background > > > (sorry for not being up to speed, I don't have time to research this > > > today and I'm away tomorrow so my replies may be slow). > > > > > > Can you explain to me what the passwords in question are used for? > > > > The password of the user used to access the database. > > > > Ahh, so the subject is quite literal. > > So in an instance like this it's not uncommon to store this password as > plaintext in a file. The important part is then to ensure that the file is > protected and can only be accessed on a need-to-know basis. > > Using various scrambling techniques don't really provide any additional > security. Some claim it makes things worse as it provides a false sense of > security. > > I would suggest you make a note about what processes and users can view or > modify this file and for what reasons. This should help identify things in > the future that should or shouldn't have this level of access. > > Let me know if you have any questions. > > Thanks.
Thank you. This is what I wrote in my initial post. The only users who should access this password is ovirt user and root user. Regards, Alon Bar-Lev. > > -- > Josh Bressers / Red Hat Product Security Team > _______________________________________________ Engine-devel mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-devel
