[Engine-devel] Dropping encryption of database password
Alon Bar-Lev
alonbl at redhat.com
Wed May 1 18:16:53 UTC 2013
----- Original Message -----
> From: "Josh Bressers" <bressers at redhat.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: "Eli Mesika" <emesika at redhat.com>, "Juan Hernandez" <jhernand at redhat.com>, "engine-devel"
> <engine-devel at ovirt.org>, "pmatouse" <pmatouse at redhat.com>
> Sent: Wednesday, May 1, 2013 9:13:24 PM
> Subject: Re: [Engine-devel] Dropping encryption of database password
>
> > >
> > > > >
> > > > > In another words you are for storing password as plain text.... :)
> > > >
> > > > If the file is protected , I don't mind that the password is in plain
> > > > text...
> > > >
> > >
> > > Hi all,
> >
> > Hello,
> >
> > > Itamar pointed me at this thread. I'm part of the Red Hat Product
> > > Security
> > > Team, we exist to help various projects and products with security needs
> > > (such as advice in this instance).
> > >
> > > I can't really comment on this without understanding some of the
> > > background
> > > (sorry for not being up to speed, I don't have time to research this
> > > today and I'm away tomorrow so my replies may be slow).
> > >
> > > Can you explain to me what the passwords in question are used for?
> >
> > The password of the user used to access the database.
> >
>
> Ahh, so the subject is quite literal.
>
> So in an instance like this it's not uncommon to store this password as
> plaintext in a file. The important part is then to ensure that the file is
> protected and can only be accessed on a need-to-know basis.
>
> Using various scrambling techniques don't really provide any additional
> security. Some claim it makes things worse as it provides a false sense of
> security.
>
> I would suggest you make a note about what processes and users can view or
> modify this file and for what reasons. This should help identify things in
> the future that should or shouldn't have this level of access.
>
> Let me know if you have any questions.
>
> Thanks.
Thank you.
This is what I wrote in my initial post.
The only users who should access this password is ovirt user and root user.
Regards,
Alon Bar-Lev.
>
> --
> Josh Bressers / Red Hat Product Security Team
>
More information about the Engine-devel
mailing list