Tranquil IT Forum

Hello,

With the default WAPT 2.5 installation, there is no password for the postgres and wapt users.
For security reasons, I want to change the password, but the change isn't taking effect.

Here's the procedure I followed:
connecting to the database: `.\psql.exe -U postgres -d wapt`
changing the password: `\password wapt` and `\password postgres`
logging out and attempting to log in, but the password isn't always requested.

If the password is required, it will need to be entered, according to my research, in the file `C:\wapt\waptserver\waptserver.ini`. In this case, how could I encrypt the password to prevent leaks or for security reasons?

Hello Tchoko,

Tchoko wrote: ↑Apr 7, 2024 - 5:05 PM With the default WAPT 2.5 installation, there is no password for the postgres and wapt user.
For security reasons, I want to change the password, but the change is not taking effect.

version, os, etc. (see forum rules above)

Procedure I followed:
connection to the database: .\psql.exe -U postgres -d wapt
change of password: \password wapt and \password postgres
disconnection and attempted connection but the password is not always requested.

It's a standard PostgreSQL installation; I think you should look at the pg_hba file, etc. It's not a WAPT issue per se.

If the password is compromised, it will need to be entered, according to my research, in the file C:\wapt\waptserver\waptserver.ini. In that case, how could the password be encrypted to prevent leaks or for security reasons?.

If there's a password on the PostgreSQL database, it must be included in the configuration file. If you want to encrypt the password in the configuration file, you'll then need a separate password somewhere to decrypt the configuration file when the service starts. And if you want the service to start automatically at boot, the decryption password will itself be readable, so you're just shifting the problem...

The WAPT server must be installed on a machine dedicated to it. The WAPT server is configured to listen only locally (under Linux, it only listens via Unix sockets with `auth ident`). Therefore, if your Postgres database is accessed, your server is already compromised. This might be useful for in-depth security, but in practice, it's overkill for the vast majority of use cases (unless you're willing to enter a password every time you start the server, the disk is encrypted, etc.)

And the first thing to do to have a more easily secure environment is to switch to a Linux server ...

Sincerely,

Denis

Hello,
I understand this is a database-specific problem, but since it's a package integrated into the WAPT software, I thought it might be something you're familiar with and could help me.

In that case, you can close the thread.

Hello Tchoko,

thank you for the feedback. I'm marking the topic as RESOLVED. In

my opinion, using a password for the PostgreSQL database only makes sense if the database is hosted on a separate machine (a fairly rare occurrence).

Regards,

Denis