tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: running tomcat6 under a different user than root (debian)
Date Mon, 01 Nov 2010 14:53:51 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daryl,

On 10/30/2010 5:11 PM, Darryl Lewis wrote:
> That's why we encrypt passwords in unix, or haven't you looked at
> etc/passwd lately? Are you going to tell me that is complete
> nonsense?

The credentialing mechanism is the keyboard and the user's fingers, not
a file on the filesystem. What you're suggesting here is that
/etc/passwd is the same as conf/server.xml when in reality /etc/passwd
is analogous to the password database maintained by the db.

> According to your 'argument' that is 'security by obscurity'. You
> better break that to the GNU crowd gently.

The "GNU crowd" did not develop the /etc/passwd standard.

> Having a username and password in clear text allows another account
> to be compromised.

Yes, it does. Nobody is arguing that. What we're saying is that, given
these requirements, security is not possible.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzO1H8ACgkQ9CaO5/Lv0PBNGgCeNh8ztnnpdMIh1M6ctUH3hld+
KM0AnAnQ9myujfrFPba8RcmD85OcYvkA
=JV6U
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message