On 8/27/2010 1:14 PM, djohn...@desknetinc.com wrote:
André Warnier<a...@ice-sa.com> wrote on 08/27/2010 12:32:43 PM:
Ken Bowen wrote:
If you wanted to go down this path, besides the web page for entering
the password, you could add sending alerts to the cells of all your
sysadmins to improve the probability of the password being entered in
a
timely manner. Perhaps Tomcats in clusters could obtain the password
from their brethren.
And to complete the circle and make it all more user-friendly, I
would also add the
password to the SMS being sent.
At least it would avoid having the sysadmins sticking it on a Post-
It on their screens.
So all the hacker with root privileges has to do is temporarily replace
the sysadmins list with a single a phone number, and then restart Tomcat,
and (s)he is in business...
For a DOS attach, yes. She also needs to know the password to get
anything to work.
D
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
