[TYPO3-dev] admin -> BE -> Installtool: Drop the need for a password?

[Martin Bless]

[Martin Bless] wrote:

>As BE admin I hate the effort of creating ENBABLE_INSTALL_TOOL and
>entering an often cryptic password.
>
>I'm wondering if there is a /conceptual/ reason why BE admins have to
>enter a password for the Install Tool when there is an open BE
>session?
>
>What do you think about it?

Thank you very much for sharing your opinion. Here's what I think
after reading your postings:

(1)
 The current situation where BE admin have to create and enter the
Install Tool password creates the illusion of extra security but its
only security by obscurity. I don't like it.

(2)
I know I can store my passwords safely on my computer. Thats what I
do. But I hate to look them up over and over again. And I suspect
other people will as well. And then they are tempted to add the
KEEP_FILE line and to invent an easy Install Tool PW and so on. IMHO
thats what really leads to risks.

(3)
I know the Install Tool needs to be a standalone tool. But
nevertheless there may be an (easy?) way to bypass the the file and
password checks IF I'm a logged in BE admin. I can't judge on this.

(4)
To clarify: I was asking for the /conceptual/ reason in contrast to
any technical reasons or difficulties of implementation as I can very
well imagine that it might be troublesome to implement. But maybe it
isn't.

(5)
I really liked the hint on symlinking the install dir. I like to have
the typo3_src out of the webroot anyway. This reminded me of making
sure that the webserver has only read access there. Maybe I'll prefer
to put an appropriate  .htaccess file there. That way we really have
an extra level of security as you have to have access to the server.

And yes, I still think these thoughts are reason enough to think about
it.

Have a nice day!

Martin

-- 
http://mbless.de