[jira] Created: (OFBIZ-2799) security of demo data using default passwords

security of demo data using default passwords
---------------------------------------------

                 Key: OFBIZ-2799
                 URL: https://issues.apache.org/jira/browse/OFBIZ-2799
             Project: OFBiz
          Issue Type: Bug
          Components: framework
    Affects Versions: Release Branch 9.04
            Reporter: chris snow


After installing demo data should, admin user should be prompted to change password on first log on.

All other accounts with password of 'ofbiz' should be disabled.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2799?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12739714#action_12739714 ]

BJ Freeman commented on OFBIZ-2799:
-----------------------------------

there is a target in the build to let you specify a admin ID and password
this is not assigned to the Admin party but has full Admin rights assigned.

http://docs.ofbiz.org/display/~jacopoc/Home
check out the quick start Guide

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2799?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12741281#action_12741281 ]

chris snow commented on OFBIZ-2799:
-----------------------------------

I'm aware of the ant target for setting up the admin user.

However, I think the principle should be extended to the demo data.  Why have demo data that is insecure by default?  I think only the admin login should be the only account enabled in the demo data, and the admin user be prompted to change the password on the first login.  

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2799?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12741289#action_12741289 ]

Jan Valkovic commented on OFBIZ-2799:
-------------------------------------

{quote}I'm aware of the ant target for setting up the admin user. {quote}
*create-admin-user-login* ... Prompts for a user name, then creates a user login with admin privileges and a temporary password equal to 'ofbiz'; after a succesful login the user will be prompted for a new password.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2799?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12741289#action_12741289 ]

Jan Valkovic edited comment on OFBIZ-2799 at 8/10/09 5:35 AM:
--------------------------------------------------------------

{quote}I'm aware of the ant target for setting up the admin user. {quote}

That ant target already exists:
*create-admin-user-login* ... Prompts for a user name, then creates a user login with admin privileges and a temporary password equal to 'ofbiz'; after a succesful login the user will be prompted for a new password.


      was (Author: yanick):
    {quote}I'm aware of the ant target for setting up the admin user. {quote}
*create-admin-user-login* ... Prompts for a user name, then creates a user login with admin privileges and a temporary password equal to 'ofbiz'; after a succesful login the user will be prompted for a new password.

 
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2799?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12741297#action_12741297 ]

chris snow commented on OFBIZ-2799:
-----------------------------------

Current OOTB behavoir:

>./ant run-install
> # user forgets/doesn't know about ./ant create-admin-user-login
> ./startofbiz.sh

Attacker can access system with admin/ofbiz username/password.

Perhaps run-install should prompt for a username and password for admin rather than just installing known passwords?  That way if some forgets/doesn't know about ./ant create-admin-user-login, they won't have a vulnerable system.





--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-2799?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Scott Gray closed OFBIZ-2799.
-----------------------------

    Resolution: Invalid

Demo data is not install data, it's there for demonstration purposes only.  If you are storing anything requiring security on a demo install then you are doing it wrong.

I'm closing this issue because the way the demo login data is set up is by design and not a bug.  Any further discussion should be carried out on the mailing lists.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

run-install is for demostatration purposes only, see description of ant
targets:
run-install
This loads all configured data; meant for generic OFBiz development,
testing, demonstration, etc purposes

run-install-extseed
This loads seed, seed-initial and ext data; meant for manual/generic
testing, development, or going into production with a derived system
based on stock OFBiz where the ext data basically replaces the demo data

run-install-exttest
This loads seed, seed-initial, ext and ext-test data; meant for
automated testing with a derived system based on stock OFBiz

run-install-file
This loads data using the command line argument 'file' to load data from
a given file

run-install-readers
This loads data using the command line argument 'readers' that takes a
comma separated list of readers (seed, seed-initial, demo, ext,
ext-test, ext-demo)

run-install-seed
This loads ONLY the seed data (not seed-initial, demo, ext* or anything
else); meant for use after an update of the code to reload the seed data
as it is generally maintained along with the code and needs to be in
sync for operation

It's not possible handle stupid/busy(?) admin, which installs production
system with "run-install" and with default user passwords :-)
Best target for not-demo system, for me, is "run-install-extseed", this
load custom data, but not _any_ default login data, including default
admin data. It means, after this is not possible login to ofbiz any way,
if any super-user is not included in custom data, or if
"create-admin-user-login" is not ran.

ya

Dňa Po, 2009-08-10 o 05:42 -0700, chris snow (JIRA) napísal:
> Attacker can access system with admin/ofbiz username/password.
>
> Perhaps run-install should prompt for a username and password for admin rather than just installing known passwords?  That way if some forgets/doesn't know about ./ant create-admin-user-login, they won't have a vulnerable system.