On Thu, Apr 10, 2008 at 12:37:41AM +1000, Ben Finney wrote: > Xavier Luthi <[EMAIL PROTECTED]> writes: > > > One solution, the easiest on the package development point of view, > > is to set a default password documented in the README.Debian. Of > > course, this is not beautiful and can be a security issue, > > especially if the user doesn't change it immediately... > > I would modify "can be" to "is definitely" a security issue. Don't do > that. Installing applications with default passwords is not a valid > approach for a 21st century package. > > Instead, in the absence of explicitly choosing a password, the > application should be installed such that it will deny authentication > until such a password is explicitly chosen. >
OK. Now let's suppose the password has not been set during the package configuration because debconf level was too high. The webapp won't allow any authentication becasue the password is not set. How to ask for a password? With a warning message on the administrative page of the webapp saying something like: 'Please run (as root) "dpkg-reconfigure pixeplpost" to set the password of the administrative user.' (priority is always 'low' for dpkg-reconfigure). Obviously, I cannot redirect the administrative page to a custom page to set the password as this would be also a security hole ;) -- Xavier
signature.asc
Description: Digital signature
