tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Souther <bsout...@fwdco.com>
Subject Re: Security Hole - server.xml
Date Wed, 26 Nov 2003 14:09:29 GMT
If a hacker gets root privileges,  the username and password for tomcat are 
the least of your concerns.



On Wednesday 26 November 2003 08:53 am, Curley, Thomas wrote:
> I'd feel more secure with an MD5 or SHA1 encrypted user and password that
> relying on unix file level security - what happens if a hacker gets root
> priv's ?
>
> thanks
>
> Thomas
>
> -----Original Message-----
> From: Tim Funk [mailto:funkman@joedog.org]
> Sent: 26 November 2003 13:51
> To: Tomcat Users List
> Subject: Re: Security Hole - server.xml
>
>
> The username and password still need decrypted at some time. It just makes
> the attacker jump through 1 hoop.
>
> Using file permissions on the config file as well and server security are
> the ways to go.
>
> -Tim
>
> Curley, Thomas wrote:
> > Hi all,
> >
> > A direct question arising from a security review :-
> >
> >  Using a datasource it is possible to remove the 'username', 'password'
> > or at least encrypt them using someting like MD5
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ***************************************************************************
>****************** This email and any attachments are confidential and
> intended for the sole use of the intended recipient(s).If you receive this
> email in error please notify emailadmin@euroconex.com and delete it from
> your system. Any unauthorized dissemination, retransmission, or copying of
> this email and any attachments is prohibited. Euroconex does not accept any
> responsibility for any breach of confidence, which may arise from the use
> of email. Please note that any views or opinions presented in this email
> are solely those of the author and do not necessarily represent those of
> the Company. This message has been scanned for known computer viruses.
> ***************************************************************************
>******************
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

-- 
Ben Souther
F.W. Davison & Company, Inc.



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message