On Tuesday 19 May 2009 13:25:36 Krishnakant wrote:
Do keep posting about the feedbacks or ask on about any feature. We have the mailing list at gnu-khata@googlegroups.com right now.
first feedback: The INSTALL document states:
<quote> to use postgresql for the first time there is a dedicated administrator account called postgres. This will be the user we will use for the database. We must set a password for that user. to change/ reset the password, sudo passwd postgres for ubuntu or just su passwd postgres for any other sudo less distro of gnu/linux and hit enter. enter the password ''gkadmin'' and re-type for confirmation. <endquote>
this is a serious security flaw as it means that every computer running gnu- khata will have 'gkadmin' as password for postgres - which is a super user. That means that anyone at all can log in as postgres and mess up all the databases on the system. A separate user should be created that only has rights over the gnu-khata database, and choice of password should be given to the end user. Conventionally this is done by having a separate settings.py file where sensitive information like this is entered and read by the application. In this way password can also be regularly changed.