tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ronald Klop <ronald-mailingl...@base.nl>
Subject Re: running tomcat6 under a different user than root (debian)
Date Fri, 29 Oct 2010 13:53:16 GMT
If you have a webapp where users log in you can use there login/password to login on the database.
A little bit inconvenient for the DBA but you don't have passwords on your servers.

Ronald.


Op vrijdag, 29 oktober 2010 15:42 schreef Rainer Frey <rainer.frey@inxmail.de>:
> 
>  
> On Friday 29 October 2010 15:34:29 Mark Thomas wrote:
> > If Tomcat has access to a database and the attacker has access to a
> > shell prompt (or similar) with the same privileges as Tomcat then the
> > attacker has access to the database and there is absolutely nothing you
> > can do to prevent that.
> 
> In theory, there is a way Tomcat could implement. You could interactively ask 
> for all needed passwords when starting Tomcat and keep them only in memory. 
> httpd does that by default for encrypted SSL primary keys. But in practice the 
> userbase that would accept the inconvenience and the impossibility to 
> automatically start tomcat would be too small to spend time for that. And the 
> practical security gain is small.
> 
> > Mark
> 
> Rainer
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 
> 
> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message