Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 85715 invoked from network); 26 Feb 2006 18:49:30 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 26 Feb 2006 18:49:30 -0000 Received: (qmail 988 invoked by uid 500); 26 Feb 2006 18:49:29 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 929 invoked by uid 500); 26 Feb 2006 18:49:28 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 870 invoked by uid 99); 26 Feb 2006 18:49:27 -0000 X-ASF-Spam-Status: No, hits=1.3 required=10.0 tests=SPF_FAIL X-Spam-Check-By: apache.org Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 26 Feb 2006 10:49:27 -0800 Received: from ajax.apache.org (ajax.apache.org [127.0.0.1]) by ajax.apache.org (Postfix) with ESMTP id 05C31DD for ; Sun, 26 Feb 2006 19:49:06 +0100 (CET) Message-ID: <602404441.1140979746021.JavaMail.jira@ajax.apache.org> Date: Sun, 26 Feb 2006 19:49:06 +0100 (CET) From: "Kathey Marsden (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Updated: (DERBY-1056) Print a security warning to derby.log and network server console if network server is started with remote connections enabled and security manager, user authentication, and ecrypted userid are not on In-Reply-To: <1804516947.1140974634647.JavaMail.jira@ajax.apache.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N [ http://issues.apache.org/jira/browse/DERBY-1056?page=all ] Kathey Marsden updated DERBY-1056: ---------------------------------- Summary: Print a security warning to derby.log and network server console if network server is started with remote connections enabled and security manager, user authentication, and ecrypted userid are not on (was: Print a security warning to derby.log and network server console if network server is started with -h 0.0.0.0 and security manager, user authentication, and ecrypted userid are not on) Description: Information and questions from the user list seem to indicate that often users enable remote connections by starting network server with the -h 0.0.0.0 or -h option without taking proper security measures. I think it would be worthwhile to print a security warning the console and derby.log if network server is starated without the proper security in place. Serious security issues exist when starting network server and allowing remote connections unless users: - Run in security manager with permissions restricted as much as possible. - Enable user authentication - Use encrypted userid/password (Currently only available with IBMJCE) - Maybe also print a warning if bootPassword is sent in the connectionAttributes, since this cannot be encrypted. (I had thought there was a jira issue for this but can't find it.) Even when started with the localhost default there can be security issues if the machine itself is not secure. An example of such an attack might include creating databases until the host machine disk filled up, deleting all user data etc. Related issues: DERBY-65 DERBY-474 DERBY -528 DERBY-962 was: Information and questions from the user list seem to indicate that often users start network server with the -h 0.0.0.0 option without taking proper security measures. I think it would be worthwhile to print a security warning the console and derby.log if network server is starated without the proper security in place. Serious security issues exist when starting network server with the -h 0.0.0.0 option unless users - Run in security manager with permissions restricted as much as possible. - Enable user authentication - Use encrypted userid/password (Currently only available with IBMJCE) Even when started with the localhost default there can be security issues if the machine itself is not secure. An example of such an attack might include creating databases until the host machine disk filled up, deleting all user data etc. Related issues: DERBY-65 DERBY-474 DERBY -528 DERBY-962 Dan pointed out that this needs to print when remote connections are enabled with -h as well so changing the title. I also thought of one other warning needed if bootPassword is passed in the connection attributes, so added that to the description. Also Dan asked me to elaborate about security issues when Network Server is started on localhost. Mostly these arise from shared machines where users do not trust each other, for example the District Attourney and the Public Defender share a machine and have separate databases but these are accessesed through network server. The same risks apply because the users of the machine do not trust each other. The D.A. might set up his database and user authentication for the database and think he is all set, but really the password is being sent CLEAR_TEXT and the public defender might be able to gain access. The D.A might even think he could set up a bootPassword, but that has two problems 1) The bootPassword is sent in the connection attributes and so is always sent clear text and 2) once the database is booted the public defender has access. Perhaps this type of risk is just obvious, but because we don't start up with connections restricted in anyway as they might be with other database servers, users may not realize the risk. Some of these issues were discussed in this thread: http://www.nabble.com/DRDA-Password-Encryption-%28SECMEC_EUSRIDPWD-and-SECMEC_USRENCPWD%29-t80296.html#a24266 At that time David suggested making a top level Client/Server Security Issue which is not a bad idea, but we actually have not had much luck executing on other such important top level issues as DERBY-310 and DERBY-209. Since this one is security it might gain more attention. I don't know. > Print a security warning to derby.log and network server console if network server is started with remote connections enabled and security manager, user authentication, and ecrypted userid are not on > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: DERBY-1056 > URL: http://issues.apache.org/jira/browse/DERBY-1056 > Project: Derby > Type: Improvement > Components: Network Server, Security > Reporter: Kathey Marsden > Fix For: 10.2.0.0 > > Information and questions from the user list seem to indicate that often users enable remote connections by starting network server with the -h 0.0.0.0 or -h option without taking proper security measures. I think it would be worthwhile to print a security warning the console and derby.log if network server is starated without the proper security in place. > Serious security issues exist when starting network server and allowing remote connections unless users: > - Run in security manager with permissions restricted as much as possible. > - Enable user authentication > - Use encrypted userid/password (Currently only available with IBMJCE) > - Maybe also print a warning if bootPassword is sent in the connectionAttributes, since this cannot be encrypted. (I had thought there was a jira issue for this but can't find it.) > Even when started with the localhost default there can be security issues if the machine itself is not secure. > An example of such an attack might include creating databases until the host machine disk filled up, deleting all user data etc. > Related issues: > DERBY-65 > DERBY-474 > DERBY -528 > DERBY-962 -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira