Hi Paul, Quoting Paul Menzel (2014-05-18 00:45:39) > since version 0.8 Radicale has a database backend and the password for > the database is specified in `/etc/radicale/config`. > > $ ls -lh /etc/radicale/config > -rw-r--r-- 1 root root 4.0K May 17 22:35 /etc/radicale/config > $ more /etc/radicale/config > […] > # Database URL for SQLAlchemy > # dialect+driver://user:password@host/dbname[?key=value..] > # For example: sqlite:///var/db/radicale.db, > # postgresql://user:password@localhost/radicale > # See > http://docs.sqlalchemy.org/en/rel_0_8/core/engines.html#sqlalchemy.create_engine > […] > > Could you please make the file only readable by root, meaning `chmod > 640` so not everybody could read the potentially added password, where > the admin forgot to change the permissions?
That only works when Radicale is executed as root, which is a bad idea. Radicale is usable not only as a daemon but also executed as a regular user. It therefore makes little sense to have it restricted to just a single user. Seems to me the best we can do is add a big fat warning that if adding sensitive information like passowrd (avoidable with Postgres - only MySQL really needs passwords) then the access to the config file should be tightened. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
