From: Klotz Jr, Dennis [mailto:[EMAIL PROTECTED]
Subject: RE: can JNDIRealm connectionPassword be encrypted?
Right now we have the tomcat instance running as a tomcat:tomcat user
and group.
And, I hope, you have permissions for everything in Tomcat's directories
set to 750, and very, very limited membership in the group.
in case someone found an exploit within tomcat itself and
gained shell access with tomcat privileges.
Double failure. Not only would there have to be a serious security flaw
within Tomcat itself (and I'm not aware of any at the moment), but this
flaw would also have to permit execution of arbitrary code - which is
pretty tricky in Java, if you've set up the JVM security policy
appropriately.
Again perhaps that is a being a bit paranoid. But that is
what security is all about. :)
Not really, although a lot of consultants push that approach so they can
take your money and tell you things you already know.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
