YAFLogo

geeman
  • geeman
  • 57.8% (Neutral)
  • YAF Forumling Topic Starter
16 years ago
I noticed that during install I am required to grant the web process permissions to commit the database upgrade password to the app.config. Is there anyway that this can be moved to the DB in the future?

1. This simplifies permissions required to setup the forums

2. Reduces surface area of attacks from a security standpoint

Thanks

View All Posts by User
Sponsor
geeman
  • geeman
  • 57.8% (Neutral)
  • YAF Forumling Topic Starter
16 years ago

I noticed that during install I am required to grant the web process permissions to commit the database upgrade password to the app.config. Is there anyway that this can be moved to the DB in the future?

1. This simplifies permissions required to setup the forums

2. Reduces surface area of attacks from a security standpoint

Thanks

geeman wrote:

One other thing, I deploy YAF to a web farm and this breaks my web farm since it's only committed to a single server.

View All Posts by User
Jaben
  • Jaben
  • 100% (Exalted)
  • YAF Developer
16 years ago
DB is not a great option either. But I'm open to other suggestions.
View All Posts by User
Jaben
  • Jaben
  • 100% (Exalted)
  • YAF Developer
16 years ago

I noticed that during install I am required to grant the web process permissions to commit the database upgrade password to the app.config. Is there anyway that this can be moved to the DB in the future?

1. This simplifies permissions required to setup the forums

2. Reduces surface area of attacks from a security standpoint

Thanks

geeman wrote:

One other thing, I deploy YAF to a web farm and this breaks my web farm since it's only committed to a single server.

geeman wrote:

Just copy the app.config. Not sure how it "breaks" everything given its only needed when you run /install.

View All Posts by User
geeman
  • geeman
  • 57.8% (Neutral)
  • YAF Forumling Topic Starter
16 years ago

I noticed that during install I am required to grant the web process permissions to commit the database upgrade password to the app.config. Is there anyway that this can be moved to the DB in the future?

1. This simplifies permissions required to setup the forums

2. Reduces surface area of attacks from a security standpoint

Thanks

Jaben wrote:

One other thing, I deploy YAF to a web farm and this breaks my web farm since it's only committed to a single server.

geeman wrote:

Just copy the app.config. Not sure how it "breaks" everything given its only needed when you run /install.

geeman wrote:

I was trying to install the beta and pressed enter by accident without filling in the entire install form. An exception was thrown.

I went back and and did the install again. Which bounced me to my other server. I did the copy of the app.config which fixed it and finished install.

I think there is a bug because I looked at the app.config file and the configPassword had the same hash multiple times separated by a comma.

Also, I'm not sure why putting the password in the DB is not a good option. The only way to get to the DB is to compromise the SQL server in which if I have done that, I can get the nessecary password information (salt and hash) to the administrator account anyways

View All Posts by User
infinitep
16 years ago
I too had this I fixed it by going into windows explorer and right slicking the app.config and giving full control to the ASPNET user under the security tab.
[url=http://craigwhiteman.blogspot.com.au/]Capt. ArkCAW HonourNRespect- Need an Ark? I Noah Guy![url]

View All Posts by User
Similar Topics
Users browsing this topic