tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark H. Wood" <mw...@IUPUI.Edu>
Subject Re: ConnectionPoolMBean should not expose plain-text DB password
Date Mon, 08 Oct 2012 13:56:01 GMT
On Fri, Oct 05, 2012 at 05:11:57PM -0400, Christopher Schultz wrote:
> On 10/5/12 1:51 PM, Te Li wrote:
> > I am not familiar with JIoEndpoint discussed in 
> > https://issues.apache.org/bugzilla/show_bug.cgi?id=53139.
> > 
> > The issue I'm facing is something different. Apparently, some
> > effort was made to hide the DB password, but the DB password is
> > still exposed via another getter (getDbProperties()). This seems to
> > be a bug to me.
> > 
> > DB passwords are highly sensitive information. JMX admins shouldn't
> > see those either. It's not a reasonable assumption that it's okay
> > for JMX admins to see exposed DB passwords (which should never be
> > exposed in plaintext or encrypted form). Those who work in a
> > company would probably concur with this point.
> 
> I think most of us work at companies, and I happen to disagree with you.
> 
> Tomcat passwords -- at least those in server.xml -- are in plain-text
> form. All requests to obfuscate them have been denied because it is
> simply not possible to properly secure them: the key always must be
> available to the administrator in order to read the obfuscated
> password and therefore any steps to "secure" the password are a charade.
> 
> There is a wealth of knowledge available via JMX, and it should only
> be exposed to administrators. Any JMX-enabled administrator will be
> able to deploy an arbitrary webapp to go and fetch the data you are
> trying to hide. You are wasting your time.

Well, I agree with both of you. :-)

The O.P. seems to want something like a military-style access control
system, in which it is possible to set up a structure where *no one*
has ultimate access; different roles have privileged access to
different aspects of the operation.  This is not an unreasonable
desire.  There are situations where it is advantageous (to the
organization) to operate in such a way that there are things a single
high-value captive cannot compromise.  Compare this to everyday
financial controls which require multiple signatures on a check or
several individuals with different keys to open a safe.  The highest
authorities can order things done, but cannot do them.  When wearing
my sysadmin hat, I work hard to make sure that I do not have to know
some of the secrets required to run our operation.

OTOH I agree that Tomcat is not set up to give you a heterarchial
access structure.  Very few products are.  I'm sure I never heard of
most of them and suppose that few of you all have either.

-- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Asking whether markets are efficient is like asking whether people are smart.

Mime
View raw message