geeman
  • Posts: 13
  • Joined: 27/05/2008
I noticed that during install I am required to grant the web process permissions to commit the database upgrade password to the app.config. Is there anyway that this can be moved to the DB in the future?

1. This simplifies permissions required to setup the forums
2. Reduces surface area of attacks from a security standpoint

Thanks
Sponsor
geeman
  • Posts: 13
  • Joined: 27/05/2008
geeman wrote:

I noticed that during install I am required to grant the web process permissions to commit the database upgrade password to the app.config. Is there anyway that this can be moved to the DB in the future?

1. This simplifies permissions required to setup the forums
2. Reduces surface area of attacks from a security standpoint

Thanks



One other thing, I deploy YAF to a web farm and this breaks my web farm since it's only committed to a single server.
Jaben
  • Posts: 2544
  • Joined: 09/10/2004
DB is not a great option either. But I'm open to other suggestions.
Jaben
  • Posts: 2544
  • Joined: 09/10/2004
geeman wrote:

geeman wrote:

I noticed that during install I am required to grant the web process permissions to commit the database upgrade password to the app.config. Is there anyway that this can be moved to the DB in the future?

1. This simplifies permissions required to setup the forums
2. Reduces surface area of attacks from a security standpoint

Thanks



One other thing, I deploy YAF to a web farm and this breaks my web farm since it's only committed to a single server.


Just copy the app.config. Not sure how it "breaks" everything given its only needed when you run /install.
geeman
  • Posts: 13
  • Joined: 27/05/2008
Jaben wrote:

geeman wrote:

geeman wrote:

I noticed that during install I am required to grant the web process permissions to commit the database upgrade password to the app.config. Is there anyway that this can be moved to the DB in the future?

1. This simplifies permissions required to setup the forums
2. Reduces surface area of attacks from a security standpoint

Thanks



One other thing, I deploy YAF to a web farm and this breaks my web farm since it's only committed to a single server.


Just copy the app.config. Not sure how it "breaks" everything given its only needed when you run /install.



I was trying to install the beta and pressed enter by accident without filling in the entire install form. An exception was thrown.

I went back and and did the install again. Which bounced me to my other server. I did the copy of the app.config which fixed it and finished install.

I think there is a bug because I looked at the app.config file and the configPassword had the same hash multiple times separated by a comma.

Also, I'm not sure why putting the password in the DB is not a good option. The only way to get to the DB is to compromise the SQL server in which if I have done that, I can get the nessecary password information (salt and hash) to the administrator account anyways
infinitep
  • Posts: 34
  • Joined: 28/05/2008
I too had this I fixed it by going into windows explorer and right slicking the app.config and giving full control to the ASPNET user under the security tab.
[url=http://craigwhiteman.blogspot.com.au/]Capt. ArkCAW HonourNRespect- Need an Ark? I Noah Guy![url]
Users browsing this topic
    Forum Jump  
    • You cannot post new topics in this forum.
    • You cannot reply to topics in this forum.
    • You cannot delete your posts in this forum.
    • You cannot edit your posts in this forum.
    • You cannot create polls in this forum.
    • You cannot vote in polls in this forum.

    About Us

    The YAF.NET is an open source .NET forum project. YAF.NET is supported by an team of international developers who are build community by building community software.

    Powered by Resharper Donate with PayPal button

    Project Twitter Updates

    Copyright © YetAnotherForum.NET & Ingo Herbote. All rights reserved