Thanks for the quick reply, i do understand the permission on the files is 600 and that is a good thing. However my point is that never should a root password or admin password be recorded in this fashion regardless of what software it is. It is a very bad habbit to assume that the installer knows their data is stored in this fashion and assuming they have the knowledge and experience to know what to do with it in order to secure it.
There is no mention of what is in the file in the message during config process or that it needs to be secured in a safe place, it just says to save the file. Well what if they save the file to root or some other place where it should not be, yes they should look to see what is in the file and remove the data, but again software developers are assuming too much about the user and this is why the rule is that passwords especially root should never ever be stored in this way.
Thats alot like saying put the keys to your car above the visor but not advising the user of the potential risk of doing that. Not everyone that uses this software is a network admin or proficient enough to know these kinds of things. The fact that its there and may be just sitting in that folder for awhile or saved on the server somewhere leaves the door open for someone to go looking for it.
I understand that if someone can get to the file then the system has bigger issues to deal with but what the software is doing is making it easier for them to get the information they need and providing a easier way to get it.
Its backwards thinking to say its secured under 600 permission so we can put whatever we want in the file, that information should never ever be in a file regardless in any format, this just gives malicious people another reason or incentive to attack a system.
If an admin wants to use the file to do a cluster or whatever then they can put the data back in for that run only. But having it just sitting out there on the server is not a good idea at all IMO.
I think that kaltura software is good stuff and i know the market is in need of such a software however doing things like this IMO may give the impression to someone that kaltura is not security concious in everything they do which im sure is not the case.