tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Tanner <rtan...@cheshire.onlinemac.com>
Subject Re: Protecting mysql access (was: re: mySQL again)
Date Thu, 01 Mar 2001 21:40:16 GMT
But that doesn't address the basic issue.  If you have login privs on 
the machine and a shell account, or you've managed to sniff a password 
of someone who does, etc, than you have a potential security hole. 
Remember also, that more damage in terms of dallar value comes from 
inside, from those very folks you trust.  The whole point of my post 
was that without locking down server.xml as root readable only, there's 
a good chance a user with ordinary privs might successfully read it -- 
this is a localhost, not a network issue.  And other than running 
tomcat under root, I don't know of any sure file way to secure the db 
credentials tomcat and/or various servlets require to access the 
database (and, of course, the same is true whether it's mysql, oracle, 
sybase, postgres, etc, etc, etc).  As far as you comment that in that 
case one has "other security problems besides MySQL!", I can't agree 
more.  But at the same time, should you make matters worse by making 
the db root password readily available to snooping eyes?

-- Rob


--On Thursday, March 01, 2001 08:51:09 AM -0800 Rick Herrick 
<rick@violetshivers.com> wrote:

> On our server, we basically grant NO remote access privileges to ANY
> users, including root.  This means that any access to the database
> has to be done from the localhost.  So instead of doing the two
> normal grants you might do, like this:
>
> GRANT SELECT,INSERT,UPDATE ON *.* TO soandso@localhost IDENTIFIED BY
> 'password'; GRANT SELECT,INSERT,UPDATE ON *.* TO soandso@"%"
> IDENTIFIED BY 'password';
>
> The first allows access from the localhost.  The second allows remote
> access.  Just don't do the second.  Then someone has to hack in and
> get local access to the database somehow and if they can do that,
> then you've got other security problems besides MySql!
>
> At 08:01 AM 3/1/2001 -0800, you wrote:
>> Slightly off topic, but important!
>>
>> Having seen way too much in terms of hacking and system compromises,
>> might  I suggest you create another, and far less privileged user
>> than root, for  accessing mysql.  Unless you've gone into the grant
>> tables and creatd a  different mysql superuser and reduced root's
>> priv, then the root login to  mysql is like root on unix, superuser,
>> God, etc.  If multiple users have  shell access to the tomcat host
>> system, and those same users are not  authorized as mysql root, than
>> I know of no way to keep unauthorized eyes  from looking at the
>> server.xml file other than by making it sysroot  protected. But to
>> do that, you need to run tomcat under root.
>>
>> If anyone has a good mechanism for securing the server's and/or
>> servlet's  credential for db access, I'd certainly love to hear it.
>> That issue has  been my one and only thorn in the side since I began
>> switching for  perl/cgi (where the solution to that issue is a
>> no-brainer) to using tomcat.
>>
>> -- Rob
>>
>> --On Thursday, March 01, 2001 10:19:13 AM +0100 leak@gmx.at wrote:
>>
>>>> Hi!
>>>> My connectionURL in server.xml now looks like this:
>>>> "jdbc:mysql://localhost/auth?user=root&password=somepassword"
>>>>
>>>> and tomcat doesn't start up (although there is no error msg or
>>>> anything) and when i execute tomcat stop i get the following
>>>> exception:
>>>> org.xml.sax.SAXParseException: Next character must be ";"
>>>> terminating reference to entity "password" and a stack trace
>>>> follows...
>>>>
>>>> why is that?
>>>
>>> I guess you should escape the "&" character in your connectionURL by
>>> replacing it with "&amp;", as the XML parser will parse entities
>>> like "&lt;" or "&quote;" or things like that...
>>>
>>> Try
>>>
>>> jdbc:mysql://localhost/auth?user=root&amp;password=somepassword
>>>
>>> instead, that should work...
>>>
>>> np: Flanger - Nightbeat 1 (Midnight Sound)
>>>
>>> -------------------------------------------------------------------
>>> -- Sent through MailGateway - http://www.ssw.uni-linz.ac.at:2000/
>>> Send or read your emails anywhere.
>>> -------------------------------------------------------------------
>>> --
>>>
>>> -------------------------------------------------------------------
>>> -- To unsubscribe, e-mail:
>>> tomcat-user-unsubscribe@jakarta.apache.org For additional commands,
>>> email: tomcat-user-help@jakarta.apache.org
>>
>>
>>
>>
>>       _ _ _ _           _    _ _ _ _ _
>>      /\_\_\_\_\        /\_\ /\_\_\_\_\_\
>>     /\/_/_/_/_/       /\/_/ \/_/_/_/_/_/  QUIDQUID LATINE DICTUM SIT,
>>    /\/_/__\/_/ __    /\/_/    /\/_/          PROFUNDUM VIDITUR
>>   /\/_/_/_/_/ /\_\  /\/_/    /\/_/
>>  /\/_/ \/_/  /\/_/_/\/_/    /\/_/         (Whatever is said in Latin
>>  \/_/  \/_/  \/_/_/_/_/     \/_/              appears profound)
>>
>>  Rob Tanner
>>  McMinnville, Oregon
>>  rtanner@cheshire.onlinemac.com
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, email: tomcat-user-help@jakarta.apache.org
>>
>
> --
> Rick Herrick
> rick@violetshivers.com
> Nothing is amusing in zero gravity...
> PGP: http://www.rickherrick.com/pgpkey
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-user-help@jakarta.apache.org
>




       _ _ _ _           _    _ _ _ _ _
      /\_\_\_\_\        /\_\ /\_\_\_\_\_\
     /\/_/_/_/_/       /\/_/ \/_/_/_/_/_/  QUIDQUID LATINE DICTUM SIT,
    /\/_/__\/_/ __    /\/_/    /\/_/          PROFUNDUM VIDITUR
   /\/_/_/_/_/ /\_\  /\/_/    /\/_/
  /\/_/ \/_/  /\/_/_/\/_/    /\/_/         (Whatever is said in Latin
  \/_/  \/_/  \/_/_/_/_/     \/_/              appears profound)

  Rob Tanner
  McMinnville, Oregon
  rtanner@cheshire.onlinemac.com


Mime
View raw message