db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kathey Marsden (JIRA)" <derby-...@db.apache.org>
Subject [jira] Created: (DERBY-1056) Print a security warning to derby.log and network server console if network server is started with -h 0.0.0.0 and security manager, user authentication, and ecrypted userid are not on
Date Sun, 26 Feb 2006 17:23:54 GMT
Print a security warning to derby.log and network server console if network server is started
with -h 0.0.0.0 and security manager, user authentication, and ecrypted userid are not on
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

         Key: DERBY-1056
         URL: http://issues.apache.org/jira/browse/DERBY-1056
     Project: Derby
        Type: Improvement
  Components: Network Server, Security  
    Reporter: Kathey Marsden
     Fix For: 10.2.0.0


Information and questions from the user list seem to indicate that often users start network
server with the -h 0.0.0.0 option without taking proper security measures.    I think it would
be worthwhile to print a security warning the console and derby.log if network server is starated
without the proper security in place.

Serious security issues exist when starting network server with the -h 0.0.0.0 option unless
users 

- Run in security manager with permissions restricted as much as possible.
- Enable user authentication
- Use encrypted userid/password (Currently only available with IBMJCE)

Even when started with the localhost default there can be security  issues  if the machine
itself is not secure.

An example of such an attack might include creating databases  until the host machine disk
filled up, deleting all user data etc.

Related issues:
DERBY-65
DERBY-474
DERBY -528
DERBY-962





-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message