[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: common database policy/infrastracture

On Thu, 16 Dec 2004 14:22:25 +0100 (CET), Andreas Tille <tillea@rki.de> wrote:
> On Thu, 16 Dec 2004, Olaf van der Spek wrote:
> 
> >> Yes, but I do not want to store the password *anywhere* - it could even
> >> be removed from debconf database because it makes no sense to store it
> >> in case the local maintainer changes the database password the value
> >> is absolutely useless in any config file or debconf database.  Moreover
> >> it is even a security risk to store a password in an additional place.
> >
> > If it's only readable by root, how much of a risk is it really?
> Why should I use md5 passwords if they are stored in /etc/shadow which
> is only readable by root?

Because system passwords aren't 'needed' by any applications to
authenticate themselves to the system, while database passwords are.

> IMHO, it is a good idea not to store passwords in clear text if there
> is no reason to do so.  If a temporary file at install time suffices
> I just prefer this over permanent storage.

True, but how many database apps work without storing the password?
Reply to: