+1
Completed

Secure credential storage

James Lott 7 years ago updated by Eugene Pankov (Project coordinator) 7 years ago 0
I noticed that all of the data stored by ajenti which is not stored by the system istelf (such as /etc/passwd users) is kept in a single, plain text .json file in /etc/ajenti. This is probably find for things like enable/disable ssl, but for plugins which store credentials, this is less than ideal. For example, anyone who wants to adminster their MySQL database from Ajenti needs to have the MySQL plugin store the MySQL root user and password. I really do consider it one of Ajenti's major bonus aspects that it has no need for a database, but storing passwords (especially one as important as your MySQL root user) in plain text seems like an obvious no-no. I understand that this makes it convenient for the user, because they don't need to re-enter the password, but that is an extremely high security cost for that convenience. With as brilliant of a product as Ajenti is, I'm sure the minds developing it can put their heads together to find a solution which strikes a servicable balance between security and convenience.

Answer

Answer
Completed

Fixed by enforcing -rwx------ on config.json.

Answer
Completed

Fixed by enforcing -rwx------ on config.json.