DB_DBA_PASSWORD security [WAS: Re: Autoconfiscation (Was Re: [rt-devel] 2.1.39: Makefile notes)]

Jesse Vincent jesse at bestpractical.com
Fri Oct 11 13:18:06 EDT 2002


On Fri, Oct 11, 2002 at 10:12:46AM -0700, Jim Meyer wrote:
> How about at least using an encrypted PW? That's always bothered me,
> too, just not so much I'd done anything about it.

An encrypted password would need to be decryptable by RT's tools using
only the information in the config file. Which completely defeats the
purpose of the encryption...and it gives the user a false sense
of security. 

Part of the cleanup for a proper installation procedure _will_ be
pulling the DBA user and DBA password out of the main config file.
They're only needed on setup, not at runtime.  But RT's database
password needs to be available to RT's tools.

In 3.0, the cli and mail gateway will talk to the RT server, rather
than loading their own libraries and talking straight to the database.
This will mean that RT no longer needs to run setgid. Which should help
some ;)

	-j


-- 
»|« http://www.bestpractical.com/rt  -- Trouble Ticketing. Free.



More information about the Rt-devel mailing list