Re: Default admin password for a webapp
Please follow <URL:http://www.debian.org/MailingLists/#codeofconduct>;
specifically, please don't send individual copies of messages you also
send to the mailing list, since I haven't asked for them.
Xavier Luthi <xavier@caroxav.be> writes:
> On Thu, Apr 10, 2008 at 08:58:51AM +1000, Ben Finney wrote:
> > Xavier Luthi <xavier@caroxav.be> writes:
> >
> > > The webapp won't allow any authentication becasue the password is
> > > not set. How to ask for a password?
> >
> > Some way that the administrator can do so separately from
> > installing the package. Ideally, the installation would use the
> > same API to set the administrative password if available during
> > the install.
>
> The installation procedure from the upstream source ask for the
> administrative password the very first time anyone access the
> application (this the "classical" way for a webapp).
It may be the "classical" way, but nevertheless it's making an
unwarranted assumption.
> The assumption is the installation time is the same as the
> configuration time, thus reducing to a minimum the time when the
> application is "left open".
The installation of a network-accessible application (or even one that
*could* be made network-accessible) should never have the application
"left open" for any period of time. In the absence of proper
administrative credentials, the application should refuse all access
until such credentials are set.
> In the case of the webapp packaged for Debian, the installation time
> is not always the same as the configuration time, so it is not an
> option to use the upstream method to set the password: this would be
> a big security hole. That's why the Debian package of a webapp often
> needs to diverge from the upstream source in the way the application
> is configured.
Such divergence is to be avoided where possible. I suggest, if you're
willing, you (as the Debian packager for this package) could work with
the upstream developers to close this security hole consistently in
the upstream *and* Debian packages.
--
\ "...one of the main causes of the fall of the Roman Empire was |
`\ that, lacking zero, they had no way to indicate successful |
_o__) termination of their C programs." -- Robert Firth |
Ben Finney
Reply to: