Hi Kenneth, Good observation and thanks for your feedback.
Any ways what we would do is to let user decide the password.
Right now it is a desktop app and in the near future, we are going to start a web based system where this flaw will become even more important. Never the less what you have suggested is already on our minds and infact we deployed it in an organisation and changed the passwords ourselves. So you are right in that the security can't be left like this.
Thanks again. Krishnakant.
On Tue, 2009-05-19 at 14:12 +0530, Kenneth Gonsalves wrote:
On Tuesday 19 May 2009 13:25:36 Krishnakant wrote:
Do keep posting about the feedbacks or ask on about any feature. We have the mailing list at gnu-khata@googlegroups.com right now.
first feedback: The INSTALL document states:
<quote> to use postgresql for the first time there is a dedicated administrator account called postgres. This will be the user we will use for the database. We must set a password for that user. to change/ reset the password, sudo passwd postgres for ubuntu or just su passwd postgres for any other sudo less distro of gnu/linux and hit enter. enter the password ''gkadmin'' and re-type for confirmation. <endquote>
this is a serious security flaw as it means that every computer running gnu- khata will have 'gkadmin' as password for postgres - which is a super user. That means that anyone at all can log in as postgres and mess up all the databases on the system. A separate user should be created that only has rights over the gnu-khata database, and choice of password should be given to the end user. Conventionally this is done by having a separate settings.py file where sensitive information like this is entered and read by the application. In this way password can also be regularly changed.
-- regards Kenneth Gonsalves Associate NRC-FOSS http://nrcfosshelpline.in/web/