On 14/08/2014 15:46, George Sexton wrote: > > On 8/14/2014 8:33 AM, Mark Thomas wrote: >> On 14/08/2014 15:10, George Sexton wrote: >>> graph. >>> Can you help me understand why tomcat doesn't take the approach of >>> Apache httpd which is to ask the user for the decryption key at startup >>> time? >> Because it is largely a waste of time. Anyone with root on the box can >> do a heap dump and retrieve the actual key or the password used to >> protect the key. Much simpler just to not bother with a password and >> configure the key file so only root and the Tomcat user can read it. >> Same ends, simpler means. > > The issue with root makes sense. Thanks for explaining it to me. > > The case I see it being an improvement is where there's a defect in the > web server that makes the file available to the uid the tomcat process > runs under. > > Using tomcat as an example, say there were some directory traversal bug > that would make the file available. Using httpd as an example, say there > were some stack overflow bug in PHP that could be exploited.
With httpd that attack wouldn't work as the worker processes run as a different user to the main process which runs as root. Only the main process can read the key file. In Tomcat I think (but have never tested) that Commons Daemon can do a similar thing. It starts as root, reads the keystore and then drops to non-root. The problem with that is that if the connector needs to be restarted you have to restart the entire process. A similar issue with restarting the connector exists with the 'enter the password on the command line' solution. To look at it another way, I don't think the benefit is worth the effort necessary to implement it. <advert> I believe Pivotal's (my employer) tc Server product which is based on Tomcat does offer an enter the password on start-up option of some form. </advert> Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
