Odoo Server (MOVED TO GITHUB)

Deletion DB leave clear password on server log

Bug #729034 reported by Nicola Riolini - Micronaet
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Odoo Server (MOVED TO GITHUB)
Triaged
Wishlist
OpenERP's Framework R&D

Bug Description

I recently read a bug that where correct about clear password during creation, I see that in deletion there is the same problem (not a bug but a possibly privacy leak)
Thanks

[2011-03-04 13:17:02,207][?] INFO:db.connection_pool:ConnectionPool(used=0/count=3/max=64): Close all connections to 'user=openerp password=password1234 dbname=Demo'

Revision history for this message
xrg (xrg) wrote : Re: [Bug 729034] [NEW] Deletion DB leave clear password on server log

On Friday 04 March 2011, you wrote:
> Public bug reported:
>
> I recently read a bug that where correct about clear password during
> creation, I see that in deletion there is the same problem (not a bug but
> a possibly privacy leak) Thanks

Let me repeat for a Nth time that setting a database password for postgres is
a bad idea right from the start: the password, if set, will be accessible to
the openerp-server, and, therefore any process that runs as that user. Why not
use the "trust" or "ident" authentication instead (which relies, too, to the
unix uid) ?

Revision history for this message
Raphaël Valyi - http://www.akretion.com (rvalyi) wrote :

On Fri, Mar 4, 2011 at 10:11 AM, xrg <email address hidden> wrote:

> On Friday 04 March 2011, you wrote:
> > Public bug reported:
> >
> > I recently read a bug that where correct about clear password during
> > creation, I see that in deletion there is the same problem (not a bug but
> > a possibly privacy leak) Thanks
>
>
> Let me repeat for a Nth time that setting a database password for postgres
> is
> a bad idea right from the start: the password, if set, will be accessible
> to
> the openerp-server, and, therefore any process that runs as that user. Why
> not
> use the "trust" or "ident" authentication instead (which relies, too, to
> the
> unix uid) ?
>

Then may be that would be worth an official advice from OpenERP SA here:
http://doc.openerp.com/v6.0/install/linux/postgres/index.html#setup-a-postgresql-user-for-openerp
Because you say that while OpenERP SA says the opposite, making it a bit
hard for new folks to get started...

>
> --
> You received this bug notification because you are subscribed to OpenERP
> Server.
> https://bugs.launchpad.net/bugs/729034
>
> Title:
> Deletion DB leave clear password on server log
>
> Status in OpenERP Server:
> New
>
> Bug description:
> I recently read a bug that where correct about clear password during
> creation, I see that in deletion there is the same problem (not a bug but a
> possibly privacy leak)
> Thanks
>
> [2011-03-04 13:17:02,207][?]
> INFO:db.connection_pool:ConnectionPool(used=0/count=3/max=64): Close
> all connections to 'user=openerp password=password1234 dbname=Demo'
>

Vinay Rana (OpenERP) (vra-openerp)
Changed in openobject-server:
assignee: nobody → OpenERP's Framework R&D (openerp-dev-framework)
importance: Undecided → Wishlist
status: New → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.