db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel John Debrunner <...@apache.org>
Subject Re: broken network startup scripts
Date Tue, 27 Feb 2007 19:55:33 GMT
Andrew McIntyre wrote:
> On 2/27/07, Rick Hillegas <Richard.Hillegas@sun.com> wrote:
>> Thanks for the quick response, Andrew. If we go with (4), then we have
>> to change our attitude about the startup scripts. Right now they work
>> out-of-the-box. With approach (4), they no longer work out-of-the-box.
>> Instead, they are templates which have to be customized.
> Is adding an argument to the invocation of a script customizing a
> template? The script itself need not be edited to start up the server.
> Also, as of the moment, I believe this only affects the
> startNetworkServer scripts, or did I miss something?
>> It would be nice to tell customers how to do this. What do you think:
>> should we document this:
>> a) in comments in the scripts themselves
>> b) in the Admin Guide
>> c) in the Getting Started Guide
>> d) all of the above
>> e) something else
> Since I've had some time to think about it a little more, I'd vote for
> (e): (d) and make the script(s) smarter. e.g. if no arguments were
> given to the script and the startNetworkServer initially fails to
> start the network server, detect the exit code of 1, print a LOUD
> warning, and start the server up with the -noSecurityManager flag.
> Still starts the network server up with the behavior of the previous
> release, and warns them that the server they just started up is
> insecure. What do you think?

I think just allowing the script to accept the -noSecurityManager flag 
is enough. Booting with no security when the user was expecting security 
seems like a huge problem to me. There's a very good chance that the 
startup is automated and no-one notices the server is being booted 
without security.

I think some of this goes back to no good definition of what 
"secure-by-default" means. Without a good definition it's hard to make a 
decision as to if a behaviour is achieving the desired goal.

The original discussion has this phrase:

"... system/database owners are trusting the database system to ensure 
that their system cannot be attacked."

For example I was thinking that maybe if the server was only listening 
on localhost/ then there's no need to install a security 
manager. But how does that fit into various people's concept of secure 
by default.


View raw message