It is a good idea to check for the permissions on the files and directories before starting the daemon as Anton mentioned in one of the earlier mails.
Clear text passwords are frowned upon nowadays. Encrypting the conf file could help. A malicious hacker could get into the file as it is an open source. We could make it harder. Here are some of the things that I could think of. - Get the key from the user during installation and store in /var/lib/openhpi. Encrypt this file using a default key. - Decrypt the file to get the key and use this key to decrypt conf file. We could provide a tool to create the conf file. This tool could do the above things. This tool could be run during install with some default options or the user could run it later. Please do share other ideas. Mohan On Thu, 2012-08-09 at 23:56 +0400, Anton Pak wrote: > And how to prevent malicious person from decrypting it in the same way? > > > On Thu, 09 Aug 2012 23:36:21 +0400, Thompson, Michael > <[email protected]> wrote: > > > Create a tool to encrypt the openhpi.conf file and have OpenHPI decrypt > > it. > > > > -----Original Message----- > > From: Anton Pak [mailto:[email protected]] > > Sent: Thursday, August 09, 2012 2:36 PM > > To: [email protected]; [email protected] > > Subject: Re: [Openhpi-devel] OpenHPI security > > > > I don't recall any security related discussion in OpenHPI. > > > > Any suggestion how we can make it more secure? > > > > Anton Pak > > > > On Thu, 09 Aug 2012 22:33:58 +0400, [email protected] <[email protected]> > > wrote: > > > >> openhpi.conf file is in text format and the login credentials are > >> placed in that file. The login credentials sent through secure > >> channels but the file itself is in text form. Was this ever discussed > >> as a security problem in the project? Did we explore any solutions? > >> > >> Mohan > >> > >> > >> > >> > >> > >> > >> ---------------------------------------------------------------------- > >> -------- > >> Live Security Virtual Conference > >> Exclusive live event will cover all the ways today's security and > >> threat landscape has changed and how IT managers can respond. > >> Discussions will include endpoint security, mobile security and the > >> latest in malware threats. > >> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > >> _______________________________________________ > >> Openhpi-devel mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/openhpi-devel > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and threat > > landscape has changed and how IT managers can respond. Discussions will > > include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > Openhpi-devel mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/openhpi-devel > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > Openhpi-devel mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/openhpi-devel ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Openhpi-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openhpi-devel
