[DRE-maint] Bug#964759: redmine: insecure account with well-known password
Soren Stoutner
soren at debian.org
Sat Dec 14 00:24:36 GMT 2024
Andrius,
Thank you for submitting this bug report with the associated patch. I am
sorry it took four years for anyone to respond to it.
In some ways, I find your solution elegant. But I am uncertain how it would
interact with setting up multiple instances. And I am also uncertain that it
is a problem that needs fixing, in the sense that by default no instance is
reachable when Redmine is first installed.
If an admin has concerns that a new instance could be hacked before he can
change the default admin password, then he can simply constrict the example
Apache config files to only expose the new instance to a browser he controls
during the initial setup, like localhost or a specific IP address.
Alternately, it looks like it should be possible to change the default admin
password via the command line before any instance is ever exposed via a manual
apache configuration.
https://stackoverflow.com/questions/30655292/is-there-a-rake-command-to-reset-a-redmine-admin-password
I have not yet tested any of these commands, but if it is a concern that the
default instance initially exposes a default password, perhaps we should add a
list of commands to README.Debian a user can run to change the password before
setting Apache to serve up the Redmine instance.
--
Soren Stoutner
soren at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20241213/677ac00d/attachment.sig>
More information about the Pkg-ruby-extras-maintainers
mailing list