Kenneth Gonsalves wrote:
On Tuesday 19 May 2009 13:25:36 Krishnakant wrote:
Do keep posting about the feedbacks or ask on about any feature. We have the mailing list at gnu-khata@googlegroups.com right now.
first feedback: The INSTALL document states:
<quote> to use postgresql for the first time there is a dedicated administrator account called postgres. This will be the user we will use for the database. We must set a password for that user. to change/ reset the password, sudo passwd postgres for ubuntu or just su passwd postgres for any other sudo less distro of gnu/linux and hit enter. enter the password ''gkadmin'' and re-type for confirmation. <endquote>
this is a serious security flaw as it means that every computer running gnu- khata will have 'gkadmin' as password for postgres - which is a super user. That means that anyone at all can log in as postgres and mess up all the databases on the system. A separate user should be created that only has rights over the gnu-khata database, and choice of password should be given to the end user. Conventionally this is done by having a separate settings.py file where sensitive information like this is entered and read by the application. In this way password can also be regularly changed.
Is the "dedicated administrator account" the system administrator or only administrator for the database?