Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 21347 invoked from network); 27 Feb 2006 19:44:29 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 27 Feb 2006 19:44:29 -0000 Received: (qmail 14844 invoked by uid 500); 27 Feb 2006 19:44:27 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 14794 invoked by uid 500); 27 Feb 2006 19:44:27 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 14778 invoked by uid 99); 27 Feb 2006 19:44:26 -0000 X-ASF-Spam-Status: No, hits=1.3 required=10.0 tests=SPF_FAIL X-Spam-Check-By: apache.org Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Feb 2006 11:44:14 -0800 Received: from ajax.apache.org (ajax.apache.org [127.0.0.1]) by ajax.apache.org (Postfix) with ESMTP id 869C2199 for ; Mon, 27 Feb 2006 20:43:46 +0100 (CET) Message-ID: <1824546535.1141069426549.JavaMail.jira@ajax.apache.org> Date: Mon, 27 Feb 2006 20:43:46 +0100 (CET) From: "Kathey Marsden (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Commented: (DERBY-1056) Print a security warning to derby.log and network server console if network server is started with remote connections enabled and security manager, user authentication, and ecrypted userid are not on In-Reply-To: <1804516947.1140974634647.JavaMail.jira@ajax.apache.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N [ http://issues.apache.org/jira/browse/DERBY-1056?page=comments#action_12368012 ] Kathey Marsden commented on DERBY-1056: --------------------------------------- That sounds good as at least that would be a clear issue. I think also as you say it would be good to explore this scenario more fully to see if security manager would also be needed in such a scenario. Enabling such a warning would make DERBY-474 all the more important as users are bound to have questions once the warning starts showing up. > Print a security warning to derby.log and network server console if network server is started with remote connections enabled and security manager, user authentication, and ecrypted userid are not on > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: DERBY-1056 > URL: http://issues.apache.org/jira/browse/DERBY-1056 > Project: Derby > Type: Improvement > Components: Network Server, Security > Reporter: Kathey Marsden > Fix For: 10.2.0.0 > > Information and questions from the user list seem to indicate that often users enable remote connections by starting network server with the -h 0.0.0.0 or -h option without taking proper security measures. I think it would be worthwhile to print a security warning the console and derby.log if network server is starated without the proper security in place. > Serious security issues exist when starting network server and allowing remote connections unless users: > - Run in security manager with permissions restricted as much as possible. > - Enable user authentication > - Use encrypted userid/password (Currently only available with IBMJCE) > - Maybe also print a warning if bootPassword is sent in the connectionAttributes, since this cannot be encrypted. (I had thought there was a jira issue for this but can't find it.) > An example of such an attack might include creating databases until the host machine disk filled up, deleting all user data etc. > Related issues: > DERBY-65 > DERBY-474 > DERBY -528 > DERBY-962 -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira