[request-tracker-maintainers] Bug#475730: request-tracker3.6: should prompt for initial root password
Dominic Hargreaves
dom at earth.li
Sun Jan 31 16:38:55 UTC 2010
reassign 475730 request-tracker3.8
thanks
On Sat, Apr 12, 2008 at 06:26:34PM +0300, Niko Tyni wrote:
> Package: request-tracker3.6
> Version: 3.6.6-2
> Severity: normal
>
> The initial password for the RT superuser 'root' (separate from the
> local root account, of course) is currently set to 'password' on new
> installs.
>
> As the database is now created automatically since 3.6.6-2, this would be
> a gaping security hole if the system was reachable on the web after the
> default install. As things are, the web server must first be configured
> manually, so things are not quite that bad.
>
> The right thing to do would be to prompt for the initial password via
> debconf. This requires changes to rt-setup-database, and I'm not sure
> yet if I'll implement this for Lenny, but I'm filing this as a reminder
> in any case.
Good idea. Not something that is going to get changed in 3.6 now, so
reassigning this to request-tracker3.8.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the pkg-request-tracker-maintainers
mailing list