Le Wed, 15 Sep 2010 12:32:59 +0200, Cédric Krier <[email protected]> a écrit :
> On 15/09/10 12:29 +0200, Tobias Paepke wrote: > > Am 15.09.10 12:24, schrieb Cédric Krier: > > > Hi, > > > > > > One of biggest security issue in default trytond installation is > > > the admin_password that is in clear text in trytond.conf. > > > > > > This is a legacy from OpenERP to allow newbie users to setup a > > > database from the client easily. > > > > > > I propose to change the cleared hardcoded password with a > > > validation of the password of the user running trytond. > > > > > > What do you think? > > > > > what about a hashed password in config? > > It is hard to create/update. Maybe we can provide a small python script that just call the correct hash function. IIRC Mysql works like that, when you create a user you have to compute the hash manually and add the user with an insert in the db (and mysql is considered user-friendly...). > > I don't think that a system user should have a password at all. > > This will mean database creation is forbidden from rpc as for any > production server. I have a setup where the linux user 'tryton' as no password and I use su when I want to work with it. But I don't know how to do it on Windows. -- Bertrand Chenal B2CK SPRL Rue de Rotterdam, 4 4000 Liège Belgium Tel: +32 472 54 46 59 Email: [email protected] Website: http://www.b2ck.com/ -- [email protected] mailing list
