db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel John Debrunner (JIRA)" <derby-...@db.apache.org>
Subject [jira] Commented: (DERBY-1056) Print a security warning to derby.log and network server console if network server is started with -h 0.0.0.0 and security manager, user authentication, and ecrypted userid are not on
Date Sun, 26 Feb 2006 17:54:04 GMT
    [ http://issues.apache.org/jira/browse/DERBY-1056?page=comments#action_12367842 ] 

Daniel John Debrunner commented on DERBY-1056:
----------------------------------------------

Should this warning also be generated when the server is listening on an address that is not
localhost?

-h mymachine.mydomain.com


> Print a security warning to derby.log and network server console if network server is
started with -h 0.0.0.0 and security manager, user authentication, and ecrypted userid are
not on
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>          Key: DERBY-1056
>          URL: http://issues.apache.org/jira/browse/DERBY-1056
>      Project: Derby
>         Type: Improvement
>   Components: Network Server, Security
>     Reporter: Kathey Marsden
>      Fix For: 10.2.0.0

>
> Information and questions from the user list seem to indicate that often users start
network server with the -h 0.0.0.0 option without taking proper security measures.    I think
it would be worthwhile to print a security warning the console and derby.log if network server
is starated without the proper security in place.
> Serious security issues exist when starting network server with the -h 0.0.0.0 option
unless users 
> - Run in security manager with permissions restricted as much as possible.
> - Enable user authentication
> - Use encrypted userid/password (Currently only available with IBMJCE)
> Even when started with the localhost default there can be security  issues  if the machine
itself is not secure.
> An example of such an attack might include creating databases  until the host machine
disk filled up, deleting all user data etc.
> Related issues:
> DERBY-65
> DERBY-474
> DERBY -528
> DERBY-962

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message