I noticed that during install I am required to grant the web process permissions to commit the database upgrade password to the app.config. Is there anyway that this can be moved to the DB in the future?
1. This simplifies permissions required to setup the forums
2. Reduces surface area of attacks from a security standpoint
Thanks
One other thing, I deploy YAF to a web farm and this breaks my web farm since it's only committed to a single server.
Just copy the app.config. Not sure how it "breaks" everything given its only needed when you run /install.
I was trying to install the beta and pressed enter by accident without filling in the entire install form. An exception was thrown.
I went back and and did the install again. Which bounced me to my other server. I did the copy of the app.config which fixed it and finished install.
I think there is a bug because I looked at the app.config file and the configPassword had the same hash multiple times separated by a comma.
Also, I'm not sure why putting the password in the DB is not a good option. The only way to get to the DB is to compromise the SQL server in which if I have done that, I can get the nessecary password information (salt and hash) to the administrator account anyways