On Fri, May 8, 2020 at 9:07 PM calder <calder....@gmail.com> wrote:
> On Fri, May 8, 2020, 19:20 Robert Hicks <robert.hi...@gmail.com> wrote:
>> I am trying to find what the password complexity can be. I've looked at
>> several hardening guides and they are all "WordsLikeThis". Does the
>> shutdown password take symbols and numbers or at least hyphenated words?
> We've never had occasion to use the password, because we disable shutdown 
> (the better option).
> However, my best guess one could use anything.  One could check the source 
> code, or better yet, set up a Dev instance and give it a quick test - a 15 
> minute exercise at most.

Gave it a test.

In server.xml, we have
<Server port="8005" shutdown="fdsa$#@JKL:^" >

and then fire it up

user@stimpy:~/bin/apache-tomcat/bin> ./catalina.sh start  > log.log 2>&1

user@stimpy:~/bin/apache-tomcat/bin> ps aux | grep java
user   7223  531  1.2 21006280 812812 pts/2 Sl   23:22   0:13 /home/ [ ... ]

user@stimpy:~/bin/apache-tomcat/bin> ./shutdown.sh stop

user@stimpy:~/bin/apache-tomcat/bin> ps aux | grep "bin/java"
[ no response ]

If we start up TC and change  server.xml entry to (removed one char at end)
<Server port="8005" shutdown="fdsa$#@JKL:">
TC won't shut down.

Keep in mind - some characters won't work like & or ( or ) - at least
on Unix-style OSes as the shell may want to interpret them.

Experiment with whatever chars you want.

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to