Date: Fri, 8 Mar 2002 15:42:53 +0100 From: "Koster, K.J." <K.J.Koster@kpn.com> To: 'Ernst de Haan' <znerd@FreeBSD.ORG> Cc: java@FreeBSD.ORG Subject: RE: Updated www/orion --> 1.5.2_7 Message-ID: <59063B5B4D98D311BC0D0001FA7E452205FDA448@l04.research.kpn.com>
next in thread | raw e-mail | index | archive | help
Dear Ernst,
>
> > Without looking at the code: enabling accounts with default
> > passwords is a
> > Very Bad Idea(tm). I trust that if I do not set
> > ADMIN_PASSWORD the accounts will remain disabled. Yes?
>
> Uhm... so what do you suggest? I want the port to deliver a
> fully functional application server...
>
It's fully functional with the admin account disabled. The demos run and
people can deploy stuff to it. In fact I leave the admin account disabled on
everything but one experimental box, and that was enabled by special
request. The production servers are not going to have admin accounts
enabled.
Using default passwords is simply a bad idea. Remember the slashdot test
site hack from a while back? Oracle anyone? (Was it Oracle? I'm not sure,
big database vendor).
Please leave the admin account as it is in Orionserver's distribution kit.
When people need the admin account, they can enable it and set a password
for their purpose (and it's their own stupid fault if they use "123"). If
they don't need it, they won't unknowingly have accounts enabled that other
people know the password for.
>
> > I'm kind'a busy at the moment. I'd love to test it. Could
> > someone please pay me to do this? *sigh*
>
> Sorry, but I don't get payed for this stuff either :-\
>
It was a rethorical question. I know the answer. :-)
Kees Jan
=====================================================
You can't have everything. Where would you put it?
[Steven Wright]
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-java" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?59063B5B4D98D311BC0D0001FA7E452205FDA448>