Hi, > Hey, you're the one reopening an old, closed and archived bug report > for a bug that has been properly fixed, mixing several other "issues" > in the same report and WRITING IN CAPS. > > Not to mention your post to -security on which I'm not even Cc:ed.
Yes, being less drastic would have been wise, forgeting to Cc you wasn't cool either. Yeah, I screwed up, sorry for that. > The password is transmitted in clear text (basic auth, base64) over > HTTP, I don't think you want to use your root password for > that. Really. Right. > The password has to be changed, and the config file has to be edited > to set the music library path anyway. It's *really* no big deal. > Hmm, I would still sleep better if it was secure by default ;-) > I'll take patches, though. Be careful if you venture in that code, > there are anvils hanging up about everywhere, looking for a good > target to drop on. How about a simple patch in the postinst file? See attachement. Alexander Kurtz
--- mt-daapd.orig/control/postinst 2009-02-10 19:00:03.000000000 +0100
+++ mt-daapd/control/postinst 2009-04-02 19:58:48.000000000 +0200
@@ -23,6 +23,12 @@
dpkg-statoverride --update --add mt-daapd root 0600 /etc/mt-daapd.conf
fi
+# Check for insecure default admin_pw and replace it with a random value
+# fixes the most serious part of #404640 (predictable password)
+if grep --quiet '^admin_pw = mt-daapd$' /etc/mt-daapd.conf; then
+ sed 's!^admin_pw = mt-daapd$!admin_pw = '`dd if=/dev/random bs=1 count=15 | base64`'!g' -i /etc/mt-daapd.conf
+fi
+
# Automatically added by dh_installinit
if [ -x "/etc/init.d/mt-daapd" ]; then
update-rc.d mt-daapd defaults 25 >/dev/null
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
