----- Original Message -----
From: "Josh Bressers" <bressers(a)redhat.com>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: "Eli Mesika" <emesika(a)redhat.com>, "Juan Hernandez"
<jhernand(a)redhat.com>, "engine-devel"
<engine-devel(a)ovirt.org>, "pmatouse" <pmatouse(a)redhat.com>
Sent: Wednesday, May 1, 2013 9:13:24 PM
Subject: Re: [Engine-devel] Dropping encryption of database password
> >
> > > >
> > > > In another words you are for storing password as plain text.... :)
> > >
> > > If the file is protected , I don't mind that the password is in plain
> > > text...
> > >
> >
> > Hi all,
>
> Hello,
>
> > Itamar pointed me at this thread. I'm part of the Red Hat Product
> > Security
> > Team, we exist to help various projects and products with security needs
> > (such as advice in this instance).
> >
> > I can't really comment on this without understanding some of the
> > background
> > (sorry for not being up to speed, I don't have time to research this
> > today and I'm away tomorrow so my replies may be slow).
> >
> > Can you explain to me what the passwords in question are used for?
>
> The password of the user used to access the database.
>
Ahh, so the subject is quite literal.
So in an instance like this it's not uncommon to store this password as
plaintext in a file. The important part is then to ensure that the file is
protected and can only be accessed on a need-to-know basis.
Using various scrambling techniques don't really provide any additional
security. Some claim it makes things worse as it provides a false sense of
security.
I would suggest you make a note about what processes and users can view or
modify this file and for what reasons. This should help identify things in
the future that should or shouldn't have this level of access.
Let me know if you have any questions.
Thanks.
Thank you.
This is what I wrote in my initial post.
The only users who should access this password is ovirt user and root user.
Regards,
Alon Bar-Lev.
--
Josh Bressers / Red Hat Product Security Team