Andrew McIntyre wrote:
On 2/27/07, Rick Hillegas <[EMAIL PROTECTED]> wrote:
Thanks for the quick response, Andrew. If we go with (4), then we have
to change our attitude about the startup scripts. Right now they work
out-of-the-box. With approach (4), they no longer work out-of-the-box.
Instead, they are templates which have to be customized.
Is adding an argument to the invocation of a script customizing a
template? The script itself need not be edited to start up the server.
Also, as of the moment, I believe this only affects the
startNetworkServer scripts, or did I miss something?
It would be nice to tell customers how to do this. What do you think:
should we document this:
a) in comments in the scripts themselves
b) in the Admin Guide
c) in the Getting Started Guide
d) all of the above
e) something else
Since I've had some time to think about it a little more, I'd vote for
(e): (d) and make the script(s) smarter. e.g. if no arguments were
given to the script and the startNetworkServer initially fails to
start the network server, detect the exit code of 1, print a LOUD
warning, and start the server up with the -noSecurityManager flag.
Still starts the network server up with the behavior of the previous
release, and warns them that the server they just started up is
insecure. What do you think?
I think just allowing the script to accept the -noSecurityManager flag
is enough. Booting with no security when the user was expecting security
seems like a huge problem to me. There's a very good chance that the
startup is automated and no-one notices the server is being booted
without security.
I think some of this goes back to no good definition of what
"secure-by-default" means. Without a good definition it's hard to make a
decision as to if a behaviour is achieving the desired goal.
The original discussion has this phrase:
"... system/database owners are trusting the database system to ensure
that their system cannot be attacked."
For example I was thinking that maybe if the server was only listening
on localhost/127.0.0.1 then there's no need to install a security
manager. But how does that fit into various people's concept of secure
by default.
Dan.
