[Archivesspace_Users_Group] Turn off Logging of db username and password

[Chris Fitzpatrick]

Hi Joshua,


Agreed that the password should be removed from the URL being printed to the log.


The config.rb file is a ruby file that's interpreted by the application. So if you don't want the password stored in this file as text, you can always do something like store it in an environment variable, encrypt it, or store it a file in another location. You should also lock down the file level permission on application, and you can also lock down the access to the MySQL to only allow specific users from specific IPs.


b,chris.


Chris Fitzpatrick | Developer, ArchivesSpace
Skype: chrisfitzpat  | Phone: 918.236.6048
http://archivesspace.org/


________________________________
From: archivesspace_users_group-bounces at lyralists.lyrasis.org <archivesspace_users_group-bounces at lyralists.lyrasis.org> on behalf of Joshua D. Shaw <Joshua.D.Shaw at dartmouth.edu>
Sent: Thursday, August 6, 2015 8:09 PM
To: Archivesspace Users Group
Subject: [Archivesspace_Users_Group] Turn off Logging of db username and password

Does anyone know of a way to turn off the logging of the mysql database username and password in the output log? I've set my log level to "fatal" in the config file, but I still see the username and password. I'd love to know if there's away to remove this as its (potentially) another security hole - along with having the username and password in clear text in the config file.

Thanks!
Joshua
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lyralists.lyrasis.org/pipermail/archivesspace_users_group/attachments/20150811/5870399f/attachment.html>