Dear Jonas,
thank you for your quick reply! Am Sonntag, den 18.05.2014, 01:10 +0200 schrieb Jonas Smedegaard: > Quoting Paul Menzel (2014-05-18 00:45:39) > > since version 0.8 Radicale has a database backend and the password for > > the database is specified in `/etc/radicale/config`. > > > > $ ls -lh /etc/radicale/config > > -rw-r--r-- 1 root root 4.0K May 17 22:35 /etc/radicale/config > > $ more /etc/radicale/config > > […] > > # Database URL for SQLAlchemy > > # dialect+driver://user:password@host/dbname[?key=value..] > > # For example: sqlite:///var/db/radicale.db, > > # postgresql://user:password@localhost/radicale > > # See > > http://docs.sqlalchemy.org/en/rel_0_8/core/engines.html#sqlalchemy.create_engine > > […] > > > > Could you please make the file only readable by root, meaning `chmod > > 640` so not everybody could read the potentially added password, where > > the admin forgot to change the permissions? > > That only works when Radicale is executed as root, which is a bad idea. > > Radicale is usable not only as a daemon but also executed as a regular > user. It therefore makes little sense to have it restricted to just a > single user. I noticed too, that Radicale was not able to read the configuration file `config` anymore, after setting the permissions that way. Sorry for not doing that beforehand. > Seems to me the best we can do is add a big fat warning that if adding > sensitive information like passowrd (avoidable with Postgres - only > MySQL really needs passwords) then the access to the config file should > be tightened. What about setting the group ownership of that file to the group `radicale`, i. e. `chown root:radicale /etc/radicale/config`, and then allowing read access to the group, so `chmod 640 /etc/radicale/config`? Thanks, Paul
signature.asc
Description: This is a digitally signed message part
