Date: Fri, 8 Mar 2002 15:42:53 +0100 From: "Koster, K.J." <K.J.Koster@kpn.com> To: 'Ernst de Haan' <znerd@FreeBSD.ORG> Cc: java@FreeBSD.ORG Subject: RE: Updated www/orion --> 1.5.2_7 Message-ID: <59063B5B4D98D311BC0D0001FA7E452205FDA448@l04.research.kpn.com>
next in thread | raw e-mail | index | archive | help
Dear Ernst, > > > Without looking at the code: enabling accounts with default > > passwords is a > > Very Bad Idea(tm). I trust that if I do not set > > ADMIN_PASSWORD the accounts will remain disabled. Yes? > > Uhm... so what do you suggest? I want the port to deliver a > fully functional application server... > It's fully functional with the admin account disabled. The demos run and people can deploy stuff to it. In fact I leave the admin account disabled on everything but one experimental box, and that was enabled by special request. The production servers are not going to have admin accounts enabled. Using default passwords is simply a bad idea. Remember the slashdot test site hack from a while back? Oracle anyone? (Was it Oracle? I'm not sure, big database vendor). Please leave the admin account as it is in Orionserver's distribution kit. When people need the admin account, they can enable it and set a password for their purpose (and it's their own stupid fault if they use "123"). If they don't need it, they won't unknowingly have accounts enabled that other people know the password for. > > > I'm kind'a busy at the moment. I'd love to test it. Could > > someone please pay me to do this? *sigh* > > Sorry, but I don't get payed for this stuff either :-\ > It was a rethorical question. I know the answer. :-) Kees Jan ===================================================== You can't have everything. Where would you put it? [Steven Wright] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-java" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?59063B5B4D98D311BC0D0001FA7E452205FDA448>