> -----Original Message----- > From: Darryl Lewis [mailto:darryl.le...@unsw.edu.au] > Sent: Saturday, October 30, 2010 3:12 PM > To: Tomcat Users List > Subject: Re: running tomcat6 under a different user than root (debian) > > Yeah, well reasoned rebuttal there....not. > That's why we encrypt passwords in unix, or haven't you looked at > etc/passwd lately? Are you going to tell me that is complete nonsense?
This is really much less useful than you would think. I had a Linux machine get hacked once. The (not tomcat, and not written by me) poorly designed webapp ran as root. The attacker used an error in PHP to retrieve /etc/shadow. Once they had that file, they looked up the hashed passwords in a dictionary. They then installed a simple shell running on a port and setup a trojaned SSH daemon. I pretty much noticed right away because the SSH daemon that didn't work right. You can read a complete narrative here: http://archive.lug.boulder.co.us/Week-of-Mon-20070903/035231.html The first time I heard of this attack was in Cliff Stoll's book the Cuckoo's Egg. If you haven't read it, you should. The issues haven't changed in the 20 years since it was published. You should also read Bruce Schneier's book "Applied Cryptography". It's really tough to understand computer security without understanding cryptography. > According to your 'argument' that is 'security by obscurity'. You > better break that to the GNU crowd gently. > Having a username and password in clear text allows another account to > be compromised. And, if that account is on another box holding your DB, > then the attacker has two boxes for the price of one. > This is additionally worse, as in a secure environment, the DB is > usually in a different architecture layer or vlan. > > On 31/10/10 8:01 AM, "Pid *" <p...@pidster.com> wrote: > > On 30 Oct 2010, at 15:20, Darryl Lewis <darryl.le...@unsw.edu.au> > wrote: > > > Well so far all this discussion has done is to make me realise that > tomcat should not be used in an environment that requires security. > > Complete nonsense. > > George Sexton MH Software, Inc. 303 438-9585 www.mhsoftware.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
