Admin passwd in cleartext in configuration file #194

New Issue

Closed

opened 2025-11-13 11:52:34 -06:00 by GiteaMirror · 5 comments

GiteaMirror commented 2025-11-13 11:52:34 -06:00

Owner

Copy Link

Originally created by @M3rcur-x on GitHub (Mar 30, 2025).

Hi,

I just setup Pangolin on my VPS and the password of my admin user is available in cleartext in the configuration file of Pangolin (config/config.yml, users -> server_admin).

Why it isn't hashed ? While this account is also stored hashed in DB.

Originally created by @M3rcur-x on GitHub (Mar 30, 2025). Hi, I just setup Pangolin on my VPS and the password of my admin user is available in cleartext in the configuration file of Pangolin (config/config.yml, users -> server_admin). Why it isn't hashed ? While this account is also stored hashed in DB.

GiteaMirror closed this issue 2025-11-13 11:52:34 -06:00

GiteaMirror commented 2025-11-13 11:52:35 -06:00

Author

Owner

Copy Link

@miloschwartz commented on GitHub (Mar 30, 2025):

The admin password is hashed before being entered into the database. You can set the password with an environment variable if you'd prefer USERS_SERVERADMIN_PASSWORD. This would let you pull from a secrets manager store.

@miloschwartz commented on GitHub (Mar 30, 2025): The admin password is hashed before being entered into the database. You can set the password with an environment variable if you'd prefer `USERS_SERVERADMIN_PASSWORD`. This would let you pull from a secrets manager store.

GiteaMirror commented 2025-11-13 11:52:35 -06:00

Author

Owner

Copy Link

@M3rcur-x commented on GitHub (Mar 30, 2025):

I agree but there is no reason to store it in cleartext in this file after using Pangolin installer.

@M3rcur-x commented on GitHub (Mar 30, 2025): I agree but there is no reason to store it in cleartext in this file after using Pangolin installer.

GiteaMirror commented 2025-11-13 11:52:35 -06:00

Author

Owner

Copy Link

@miloschwartz commented on GitHub (Mar 30, 2025):

Every time the server starts it copies the password into the database which lets the server admin rotate the password so they don't get locked out.

@miloschwartz commented on GitHub (Mar 30, 2025): Every time the server starts it copies the password into the database which lets the server admin rotate the password so they don't get locked out.

GiteaMirror commented 2025-11-13 11:52:36 -06:00

Author

Owner

Copy Link

@M3rcur-x commented on GitHub (Mar 30, 2025):

This field should be empty by default. The server can check and rotate this password (then delete it) if set after each start.
I understand the purpose of this field but this is a security issue to store a password like this. (even if it readable only by root)

@M3rcur-x commented on GitHub (Mar 30, 2025): This field should be empty by default. The server can check and rotate this password (then delete it) if set after each start. I understand the purpose of this field but this is a security issue to store a password like this. (even if it readable only by root)

GiteaMirror commented 2025-11-13 11:52:36 -06:00

Author

Owner

Copy Link

@tomasodehnal commented on GitHub (Apr 5, 2025):

I would like to argue in favor of starting Pangolin without password being present in clear-text in configuration or environment variable. If I would like to save myself from starting Pangolin manually, I would need to store the password on disk anyway, which I believe we should prevent.

I understood that the reason for requiring the password is a safeguard to prevent locking out of the administrator. I agree with @M3rcur-x - having the password (or even whole users section) optional would still allow me to override it via config or env var when needed. In normal circumstances only the hashed version would exist in the database.

@tomasodehnal commented on GitHub (Apr 5, 2025): I would like to argue in favor of starting Pangolin without password being present in clear-text in configuration or environment variable. If I would like to save myself from starting Pangolin manually, I would need to store the password on disk anyway, which I believe we should prevent. I understood that the reason for requiring the password is a safeguard to prevent locking out of the administrator. I agree with @M3rcur-x - having the password (or even whole `users` section) optional would still allow me to override it via config or env var when needed. In normal circumstances only the hashed version would exist in the database.

GiteaMirror referenced this issue 2025-11-13 12:11:11 -06:00

[PR #194] [MERGED] access control rules #800

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/prod-minor-updates-47a8475ba0

dependabot/npm_and_yarn/dev-patch-updates-c4a0f28f13

dependabot/go_modules/install/minor-updates-a98db8910e

crowdin_dev

dev

delete-domains

dependabot/npm_and_yarn/eslint-10.0.3

dependabot/npm_and_yarn/next-16.1.6

dependabot/npm_and_yarn/recharts-3.7.0

dependabot/go_modules/install/github.com/charmbracelet/huh-1.0.0

dependabot/github_actions/docker/login-action-4.0.0

dependabot/github_actions/actions/setup-node-6.3.0

jit

msg-opt

dependabot/docker/docker/library/node-25-slim

dependabot/github_actions/actions/upload-artifact-7.0.0

dependabot/github_actions/actions/setup-go-6.3.0

cache

multi-role

logs-database

ssh

cloud-multi-org

delete-account

new-pricing

msg-delivery

org-only-idp

cicd

clients-user

1.12.3

policies

patch

site-targets-auto-login

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#194