> From: Klotz Jr, Dennis [mailto:[EMAIL PROTECTED] > Subject: RE: can JNDIRealm connectionPassword be encrypted? > > Right now we have the tomcat instance running as a tomcat:tomcat user > and group.
And, I hope, you have permissions for everything in Tomcat's directories set to 750, and very, very limited membership in the group. > in case someone found an exploit within tomcat itself and > gained shell access with tomcat privileges. Double failure. Not only would there have to be a serious security flaw within Tomcat itself (and I'm not aware of any at the moment), but this flaw would also have to permit execution of arbitrary code - which is pretty tricky in Java, if you've set up the JVM security policy appropriately. > Again perhaps that is a being a bit paranoid. But that is > what security is all about. :) Not really, although a lot of consultants push that approach so they can take your money and tell you things you already know. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]