[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Default admin password for a webapp

Please follow <URL:http://www.debian.org/MailingLists/#codeofconduct>;
specifically, please don't send individual copies of messages you also
send to the mailing list, since I haven't asked for them.

Xavier Luthi <xavier@caroxav.be> writes:

> On Thu, Apr 10, 2008 at 08:58:51AM +1000, Ben Finney wrote:
> > Xavier Luthi <xavier@caroxav.be> writes:
> > 
> > > The webapp won't allow any authentication becasue the password is
> > > not set. How to ask for a password?
> > 
> > Some way that the administrator can do so separately from
> > installing the package. Ideally, the installation would use the
> > same API to set the administrative password if available during
> > the install.
> The installation procedure from the upstream source ask for the
> administrative password the very first time anyone access the
> application (this the "classical" way for a webapp).

It may be the "classical" way, but nevertheless it's making an
unwarranted assumption.

> The assumption is the installation time is the same as the
> configuration time, thus reducing to a minimum the time when the
> application is "left open".

The installation of a network-accessible application (or even one that
*could* be made network-accessible) should never have the application
"left open" for any period of time. In the absence of proper
administrative credentials, the application should refuse all access
until such credentials are set.

> In the case of the webapp packaged for Debian, the installation time
> is not always the same as the configuration time, so it is not an
> option to use the upstream method to set the password: this would be
> a big security hole. That's why the Debian package of a webapp often
> needs to diverge from the upstream source in the way the application
> is configured.

Such divergence is to be avoided where possible. I suggest, if you're
willing, you (as the Debian packager for this package) could work with
the upstream developers to close this security hole consistently in
the upstream *and* Debian packages.

 \      "...one of the main causes of the fall of the Roman Empire was |
  `\        that, lacking zero, they had no way to indicate successful |
_o__)               termination of their C programs."  -- Robert Firth |
Ben Finney

Reply to: