Hi, Does anyone know why the db_password in file "/home/admispconfig/ispconfig/lib/config.inc.php" is written in clear text? Is that not a security problem? /Qrup
How shall ISPConfig connect to the database without a password It is no security problem, the file is only accessible by the admispconfig user.
md5 is a hash value that can be used to cross check if a password has been written correctly. But a program would still need a password in clear text to generate the md5 hash value. So there is now way around a clear text password. Just be sure that the reading permission for the specific file or folder are set right.
Thats exactly the problem. Even if we encrypt the mysql password with a reversible encryption algorithm, we will have to store the password for this encryption anywhere in cleartext. So this wont add any additional security.
config.inc.php has permissions of 600 and is owned by admispconfig, so that is the only user that can read the file.
