Re: Default admin password for a webapp

To: debian-mentors@lists.debian.org
Subject: Re: Default admin password for a webapp
From: Ben Finney <bignose+hates-spam@benfinney.id.au>
Date: Sat, 12 Apr 2008 12:12:33 +1000
Message-id: <87skxrhlda.fsf@benfinney.id.au>
References: <20080409130413.GA32239@caroxav.be> <87myo32ix6.fsf@benfinney.id.au> <20080409145438.GB32239@caroxav.be> <87ej9eiqj8.fsf@benfinney.id.au> <20080411134449.GA22039@caroxav.be>

Please follow <URL:http://www.debian.org/MailingLists/#codeofconduct>;
specifically, please don't send individual copies of messages you also
send to the mailing list, since I haven't asked for them.

Xavier Luthi <xavier@caroxav.be> writes:

> On Thu, Apr 10, 2008 at 08:58:51AM +1000, Ben Finney wrote:
> > Xavier Luthi <xavier@caroxav.be> writes:
> > 
> > > The webapp won't allow any authentication becasue the password is
> > > not set. How to ask for a password?
> > 
> > Some way that the administrator can do so separately from
> > installing the package. Ideally, the installation would use the
> > same API to set the administrative password if available during
> > the install.
> 
> The installation procedure from the upstream source ask for the
> administrative password the very first time anyone access the
> application (this the "classical" way for a webapp).

It may be the "classical" way, but nevertheless it's making an
unwarranted assumption.

> The assumption is the installation time is the same as the
> configuration time, thus reducing to a minimum the time when the
> application is "left open".

The installation of a network-accessible application (or even one that
*could* be made network-accessible) should never have the application
"left open" for any period of time. In the absence of proper
administrative credentials, the application should refuse all access
until such credentials are set.

> In the case of the webapp packaged for Debian, the installation time
> is not always the same as the configuration time, so it is not an
> option to use the upstream method to set the password: this would be
> a big security hole. That's why the Debian package of a webapp often
> needs to diverge from the upstream source in the way the application
> is configured.

Such divergence is to be avoided where possible. I suggest, if you're
willing, you (as the Debian packager for this package) could work with
the upstream developers to close this security hole consistently in
the upstream *and* Debian packages.

-- 
 \      "...one of the main causes of the fall of the Roman Empire was |
  `\        that, lacking zero, they had no way to indicate successful |
_o__)               termination of their C programs."  -- Robert Firth |
Ben Finney

Reply to:

Follow-Ups:
- Re: Default admin password for a webapp
  - From: Ben Finney <bignose+hates-spam@benfinney.id.au>

References:
- Default admin password for a webapp
  - From: Xavier Luthi <xavier@caroxav.be>
- Re: Default admin password for a webapp
  - From: Ben Finney <bignose+hates-spam@benfinney.id.au>
- Re: Default admin password for a webapp
  - From: Xavier Luthi <xavier@caroxav.be>
- Re: Default admin password for a webapp
  - From: Ben Finney <bignose+hates-spam@benfinney.id.au>
- Re: Default admin password for a webapp
  - From: Xavier Luthi <xavier@caroxav.be>

Prev by Date: Re: Modifications to included libs
Next by Date: Re: Default admin password for a webapp
Previous by thread: Re: Default admin password for a webapp
Next by thread: Re: Default admin password for a webapp
Index(es):
- Date
- Thread