On 15/09/10 13:13 +0200, Mathias Behrle wrote: > * Betr.: " [tryton-dev] Thoughts about server password" (Wed, 15 Sep 2010 > 12:24:12 +0200): > > > I propose to change the cleared hardcoded password with a validation of the > > password of the user running trytond. > > I suppose 'cleared' means 'clear text'? > > If the tryton user (like in Debian) running the server has no password neither > shell, it is no more possible to create databases from the client.
Yes, so we should encourage to use the -i option of trytond (and fix issueXXX to have reverse dependencies). > > So I like the idea as *additional* feature: > - Setting the password to empty in trytond.conf with adding the hint of this > security risk, if configured. I would prefer to drop completly this feature. > - If no admin password is configured, only allow tryton(d) user to do admin > tasks. > > Just one point: > - Unexperienced users running trytond with no special user have no security > layer between normal usage and administrative tasks. Yes. And we already had some users that have tried the running user password instead of the default "admin". So it seems that it can be logical behavior. -- Cédric Krier B2CK SPRL Rue de Rotterdam, 4 4000 Liège Belgium Tel: +32 472 54 46 59 Email/Jabber: [email protected] Website: http://www.b2ck.com/
pgpeGhQfUSTej.pgp
Description: PGP signature
