tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Ricker <bric...@wellinx.com>
Subject Re: Tomcat security?
Date Thu, 03 Jul 2003 20:09:32 GMT
Plus, if one runs as a non-priviledged user account with no login
privileges (i.e., locked account) and your permissions are correct, then
only root and Tomcat can read the users file.

If the hacker has root, the tomcat users are the least of your worries.

Ben Ricker
Wellinx.com


On Thu, 2003-07-03 at 14:23, Nathan McMinn wrote:
> What do you mean "stored in the clear"?  Are you referring to
> tomcat-users.xml?  Personally, I use a MySQL database to hold auth
> information for a JDBC Realm, and store them digested.  As an additional
> layer of security, the user account that is used to access the DB for the
> realm is only granted read access and only to the required user and roles
> tables.
> 
> ----- Original Message -----
> From: "Mark W. Webb" <mark@dolphtech.com>
> To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> Sent: Thursday, July 03, 2003 1:55 PM
> Subject: Re: Tomcat security?
> 
> 
> > I can't believe that passwords for SSL are stored in the clear.  That
> > places all responsibility of security to the OS, which may not be a good
> > idea.  What happened to defense-in-depth ??
> >
> > Nathan McMinn wrote:
> >
> > >When was the last time Tomcat had a published exploit?
> > >
> > >On a related note, these kind of "contests" are fairly common, and
> usually
> > >don't produce any kind of real activity.
> > >
> > >--Nathan
> > >
> > >----- Original Message -----
> > >From: "Eugene Lee" <list-tomcat-user@fsck.net>
> > >To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> > >Sent: Thursday, July 03, 2003 10:51 AM
> > >Subject: Tomcat security?
> > >
> > >
> > >
> > >
> > >>Anyone want to discuss hardening Tomcat servers?
> > >>
> > >>Hacking Contest Threatens Web Sites
> > >>
> > >>By George V. Hulme, InformationWeek
> > >>Updated Wednesday, July 2, 2003, 3:00 PM EDT
> > >>
> > >>A hacking contest slated for this weekend could produce a rash
> > >>of Web-site defacements worldwide, according to a warning issued
> > >>Wednesday by security companies and government Internet security
> > >>groups.  The hacker defacement contest is expected to kick off
> > >>on Sunday. The contest supposedly will award free hosting
> > >>services, Web mail, unlimited E-mail forwarding, and a domain
> > >>name of choice for the triumphant hackers, according to a Web
> > >>site promoting the contest.
> > >>
> > >>...
> > >>
> > >>More details at:
> > >>
> > >>http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014
> > >>
> > >>
> > >>--
> > >>Eugene Lee
> > >>http://www.coxar.pwp.blueyonder.co.uk/
> > >>
> > >>---------------------------------------------------------------------
> > >>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > >>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >>
> > >>
> > >>
> > >>
> > >
> > >
> > >---------------------------------------------------------------------
> > >To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > >For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> > >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message