tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Frey <>
Subject Re: running tomcat6 under a different user than root (debian)
Date Fri, 29 Oct 2010 13:42:17 GMT
On Friday 29 October 2010 15:34:29 Mark Thomas wrote:
> If Tomcat has access to a database and the attacker has access to a
> shell prompt (or similar) with the same privileges as Tomcat then the
> attacker has access to the database and there is absolutely nothing you
> can do to prevent that.

In theory, there is a way Tomcat could implement. You could interactively ask 
for all needed passwords when starting Tomcat and keep them only in memory. 
httpd does that by default for encrypted SSL primary keys. But in practice the 
userbase that would accept the inconvenience and the impossibility to 
automatically start tomcat would be too small to spend time for that. And the 
practical security gain is small.

> Mark


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message