+2
Started
A Vr 3 months ago • updated by Nils Laumaillé 3 months ago 6

In the file settings.php the password for the teampass database user is written in plain text. A security improvement would be to encrypt this password so that an unauthorised system admin could not break into the database.


kind regards,

Arie

There is no password in settings.php file.


I don't understand your point.

Hi Nils,

I have provided a screenshot with the settings.php file: (its a test environment, just a simple password :-))

Teampass must be using $pass because if I change this password Teampass does not work with an access denied message.


Kind regard,

Arie

Nils,


just to clarify the point I'm trying to make. I am in the process of evaluating Teampass and after this evaluation several teams are planning to work with it. One of those teams will be the sysadmin on the Teampass server. They will also be a member of a role in Teampass, while other IT teams wil be working in other roles. If any sysadmin on the Teampass server can get into the database he could make a copy of the database and give his own user id admin rights in Teampass. Then he can give himself any team role he wants and can read all passwords of the other teams.


kind regards,

Arie

Under review

Hi Arie,


Oh yes I do understand.

Yes this password is protected from an external access through the usage of .htaccess.

Now you are right. If the user has access to the server and its folders then this pass is visible.

I can of course encrypt it, but in such case the encryption will rely also on a salt which has to be "clear" somewhere.

If the user is admin then he will have access to it also, so that with some code can be encrypted.

But at least, it will not be as easy as performing a "copy-paste".


Do you agree with this?

Hi Nils,


Your proposal sounds ok. But indeed it is up to the server admin to implement sound security measures to shield access to the database and application files. But if the config of Teampass has an extra layer of protection it only adds to the security on the whole. Thank you,


kind regards,

Arie

Started

I have implemented it the Development branch.


It requires now complete test phase.