tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: running tomcat6 under a different user than root (debian)
Date Fri, 29 Oct 2010 13:49:46 GMT
On 29/10/2010 14:42, Rainer Frey wrote:
> On Friday 29 October 2010 15:34:29 Mark Thomas wrote:
>> If Tomcat has access to a database and the attacker has access to a
>> shell prompt (or similar) with the same privileges as Tomcat then the
>> attacker has access to the database and there is absolutely nothing you
>> can do to prevent that.
> In theory, there is a way Tomcat could implement. You could interactively ask 
> for all needed passwords when starting Tomcat and keep them only in memory. 
> httpd does that by default for encrypted SSL primary keys. But in practice the 
> userbase that would accept the inconvenience and the impossibility to 
> automatically start tomcat would be too small to spend time for that. And the 
> practical security gain is small.

Actually it is pretty much zero. If the password is in memory it will be
in a known location and an attacker will still be able to read it
(reflection, heap dump, etc). With httpd the barrier is a little higher
since it is likely to be harder to find the right bit of memory.

Agreed that the downtime issues far outweigh and security benefits.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message