tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Herrick <r...@violetshivers.com>
Subject Re: Protecting mysql access (was: re: mySQL again)
Date Thu, 01 Mar 2001 16:51:09 GMT
On our server, we basically grant NO remote access privileges to ANY users, 
including root.  This means that any access to the database has to be done 
from the localhost.  So instead of doing the two normal grants you might 
do, like this:

GRANT SELECT,INSERT,UPDATE ON *.* TO soandso@localhost IDENTIFIED BY 
'password';
GRANT SELECT,INSERT,UPDATE ON *.* TO soandso@"%" IDENTIFIED BY 'password';

The first allows access from the localhost.  The second allows remote 
access.  Just don't do the second.  Then someone has to hack in and get 
local access to the database somehow and if they can do that, then you've 
got other security problems besides MySql!

At 08:01 AM 3/1/2001 -0800, you wrote:
>Slightly off topic, but important!
>
>Having seen way too much in terms of hacking and system compromises, might 
>I suggest you create another, and far less privileged user than root, for 
>accessing mysql.  Unless you've gone into the grant tables and creatd a 
>different mysql superuser and reduced root's priv, then the root login to 
>mysql is like root on unix, superuser, God, etc.  If multiple users have 
>shell access to the tomcat host system, and those same users are not 
>authorized as mysql root, than I know of no way to keep unauthorized eyes 
>from looking at the server.xml file other than by making it sysroot 
>protected. But to do that, you need to run tomcat under root.
>
>If anyone has a good mechanism for securing the server's and/or servlet's 
>credential for db access, I'd certainly love to hear it. That issue has 
>been my one and only thorn in the side since I began switching for 
>perl/cgi (where the solution to that issue is a no-brainer) to using tomcat.
>
>-- Rob
>
>--On Thursday, March 01, 2001 10:19:13 AM +0100 leak@gmx.at wrote:
>
>>>Hi!
>>>My connectionURL in server.xml now looks like this:
>>>"jdbc:mysql://localhost/auth?user=root&password=somepassword"
>>>
>>>and tomcat doesn't start up (although there is no error msg or
>>>anything) and when i execute tomcat stop i get the following
>>>exception:
>>>org.xml.sax.SAXParseException: Next character must be ";" terminating
>>>reference to entity "password" and a stack trace follows...
>>>
>>>why is that?
>>
>>I guess you should escape the "&" character in your connectionURL by
>>replacing it with "&amp;", as the XML parser will parse entities like
>>"&lt;" or "&quote;" or things like that...
>>
>>Try
>>
>>jdbc:mysql://localhost/auth?user=root&amp;password=somepassword
>>
>>instead, that should work...
>>
>>np: Flanger - Nightbeat 1 (Midnight Sound)
>>
>>---------------------------------------------------------------------
>>Sent through MailGateway - http://www.ssw.uni-linz.ac.at:2000/
>>Send or read your emails anywhere.
>>---------------------------------------------------------------------
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, email: tomcat-user-help@jakarta.apache.org
>
>
>
>
>       _ _ _ _           _    _ _ _ _ _
>      /\_\_\_\_\        /\_\ /\_\_\_\_\_\
>     /\/_/_/_/_/       /\/_/ \/_/_/_/_/_/  QUIDQUID LATINE DICTUM SIT,
>    /\/_/__\/_/ __    /\/_/    /\/_/          PROFUNDUM VIDITUR
>   /\/_/_/_/_/ /\_\  /\/_/    /\/_/
>  /\/_/ \/_/  /\/_/_/\/_/    /\/_/         (Whatever is said in Latin
>  \/_/  \/_/  \/_/_/_/_/     \/_/              appears profound)
>
>  Rob Tanner
>  McMinnville, Oregon
>  rtanner@cheshire.onlinemac.com
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, email: tomcat-user-help@jakarta.apache.org
>

--
Rick Herrick
rick@violetshivers.com
Nothing is amusing in zero gravity...
PGP: http://www.rickherrick.com/pgpkey


Mime
View raw message