You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Robert Hicks <ro...@gmail.com> on 2020/05/09 00:19:55 UTC
Tomcat shutdown password complexity
I am trying to find what the password complexity can be. I've looked at
several hardening guides and they are all "WordsLikeThis". Does the
shutdown password take symbols and numbers or at least hyphenated words?
Thanks,
Bob
Re: Tomcat shutdown password complexity
Posted by Konstantin Kolinko <kn...@gmail.com>.
вс, 10 мая 2020 г. в 22:20, Mark Thomas <ma...@apache.org>:
>
> On May 10, 2020 11:31:02 AM UTC, calder <ca...@gmail.com> wrote:
>
> <snip/>
>
> >I asked the DevOps person about the error - turns out it was a
> >SAXParseException when using the & char in the string.
>
> That is standard XML. You have to escape reserved characters in the XML.
+1.
XML is a data format.
> > He vaguely
> >remembers a shell issue with the bang char.
>
> I think he is mistaken. There is no issue using ! in XML.
>
> There are no limitations on the characters for the shutdown password. You might need to encode some of them to define the password in XML but that is all.
Control characters (e.g. CR, LF: and ) - anything with
code less than whitespace(32) and the character with code 127 cannot
be used. Anything else can be.
For reference, the await loop that waits for the shutdown command:
https://github.com/apache/tomcat/blob/master/java/org/apache/catalina/core/StandardServer.java#L596
Note lines 546-548:
if (ch < 32 || ch == 127) {
break;
}
command.append((char) ch);
The code that sends the command:
https://github.com/apache/tomcat/blob/master/java/org/apache/catalina/startup/Catalina.java#L538
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat shutdown password complexity
Posted by Mark Thomas <ma...@apache.org>.
On May 10, 2020 11:31:02 AM UTC, calder <ca...@gmail.com> wrote:
<snip/>
>I asked the DevOps person about the error - turns out it was a
>SAXParseException when using the & char in the string.
That is standard XML. You have to escape resevered characters in the XML.
> He vaguely
>remembers a shell issue with the bang char.
I think he is mistaken. There is no issue using ! in XML.
There are no limitations on the characters for the shutdown password. You might need to encode some of them to define the password in XML but that is all.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat shutdown password complexity
Posted by calder <ca...@gmail.com>.
On Sat, May 9, 2020 at 5:09 PM Christopher Schultz
<ch...@christopherschultz.net> wrote:
> On 5/9/20 00:36, calder wrote:
> > On Fri, May 8, 2020 at 9:07 PM calder <ca...@gmail.com>
[snip]
> > Keep in mind - some characters won't work like & or ( or ) - at
> > least on Unix-style OSes as the shell may want to interpret them.
>
> What makes you say that? What does the shell have to do with anything?
I asked the DevOps person about the error - turns out it was a
SAXParseException when using the & char in the string. He vaguely
remembers a shell issue with the bang char.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat shutdown password complexity
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Calder,
On 5/9/20 00:36, calder wrote:
> On Fri, May 8, 2020 at 9:07 PM calder <ca...@gmail.com>
> wrote:
>>
>> On Fri, May 8, 2020, 19:20 Robert Hicks <ro...@gmail.com>
>> wrote:
>>>
>>> I am trying to find what the password complexity can be. I've
>>> looked at several hardening guides and they are all
>>> "WordsLikeThis". Does the shutdown password take symbols and
>>> numbers or at least hyphenated words?
>>
>>
>> We've never had occasion to use the password, because we disable
>> shutdown (the better option).
>>
>> However, my best guess one could use anything. One could check
>> the source code, or better yet, set up a Dev instance and give it
>> a quick test - a 15 minute exercise at most.
>
> Gave it a test.
>
> In server.xml, we have <Server port="8005" shutdown="fdsa$#@JKL:^"
> >
>
> and then fire it up
>
> user@stimpy:~/bin/apache-tomcat/bin> ./catalina.sh start > log.log
> 2>&1
>
> user@stimpy:~/bin/apache-tomcat/bin> ps aux | grep java user 7223
> 531 1.2 21006280 812812 pts/2 Sl 23:22 0:13 /home/ [ ... ]
>
> user@stimpy:~/bin/apache-tomcat/bin> ./shutdown.sh stop
>
> user@stimpy:~/bin/apache-tomcat/bin> ps aux | grep "bin/java" [ no
> response ]
>
> If we start up TC and change server.xml entry to (removed one char
> at end) <Server port="8005" shutdown="fdsa$#@JKL:"> TC won't shut
> down.
>
> Keep in mind - some characters won't work like & or ( or ) - at
> least on Unix-style OSes as the shell may want to interpret them.
What makes you say that? What does the shell have to do with anything?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl63KfYACgkQHPApP6U8
pFh5yRAAmIInP54+INuiba2Hbjb/AxmqqNMrmP6noARMyPCuOL6ptjumqvebT1J8
tw7oIPJPT3qEFzg2TvXZ/QJ/sQ6or9/Q1PYZ8eZnEtv4Cw5LMSmgLV/69MAMhtfA
o6X0V7ZdKwpnLhfIvV8we/kogmfD2h5gqHmqtL165pbBO5FzqywNUJoYIaOaiNtk
9ExWHWZ/+pRxwfS7OkrVLYn9UlIKebFJX1fAqjAMGFnAcI45L5ky6oRjpY359UfJ
tQDXbmsu034TGnLdrnhiSGASWHGEPsTmaH2m2o24WW0Sf75ymEsWVkV9RGOYsyAG
lBtX7Bj4fa0Ldr/S4ejXEBy7p+e+t+5BNw8yUZKSyE9zPwL77Yp23hL2w83hUQbq
beNNIia7HaDpO3x9ZaRT53UALNVTnKdJNmTfIHHPm5m8WAeaaJz7vKHcRdWtkZSg
4GZ1TW5VXnwL27jxSnYlDTBM6o/xUAuVc8ZmpYt2U7fFKnQVE57mVn8BG+jFLPI4
19F6jjIL7bzqIhx4h26af5xeYeqXWLeWRzZWA+nS9GpoPkYFTfmGByGS54bKU0rE
lMd/3nRKcjt+PMVM7wnu8b/S+hrSTwG1nE3ens9XPwpJCl0HsZzX5HR51SJegOXF
O2xOeuy9as1+jAGtquiQpvOZePDbrGUjJaZebZ4fQE0+acJ1bo4=
=JGZQ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat shutdown password complexity
Posted by calder <ca...@gmail.com>.
On Fri, May 8, 2020 at 9:07 PM calder <ca...@gmail.com> wrote:
>
> On Fri, May 8, 2020, 19:20 Robert Hicks <ro...@gmail.com> wrote:
>>
>> I am trying to find what the password complexity can be. I've looked at
>> several hardening guides and they are all "WordsLikeThis". Does the
>> shutdown password take symbols and numbers or at least hyphenated words?
>
>
> We've never had occasion to use the password, because we disable shutdown (the better option).
>
> However, my best guess one could use anything. One could check the source code, or better yet, set up a Dev instance and give it a quick test - a 15 minute exercise at most.
Gave it a test.
In server.xml, we have
<Server port="8005" shutdown="fdsa$#@JKL:^" >
and then fire it up
user@stimpy:~/bin/apache-tomcat/bin> ./catalina.sh start > log.log 2>&1
user@stimpy:~/bin/apache-tomcat/bin> ps aux | grep java
user 7223 531 1.2 21006280 812812 pts/2 Sl 23:22 0:13 /home/ [ ... ]
user@stimpy:~/bin/apache-tomcat/bin> ./shutdown.sh stop
user@stimpy:~/bin/apache-tomcat/bin> ps aux | grep "bin/java"
[ no response ]
If we start up TC and change server.xml entry to (removed one char at end)
<Server port="8005" shutdown="fdsa$#@JKL:">
TC won't shut down.
Keep in mind - some characters won't work like & or ( or ) - at least
on Unix-style OSes as the shell may want to interpret them.
Experiment with whatever chars you want.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat shutdown password complexity
Posted by calder <ca...@gmail.com>.
On Fri, May 8, 2020, 19:20 Robert Hicks <ro...@gmail.com> wrote:
> I am trying to find what the password complexity can be. I've looked at
> several hardening guides and they are all "WordsLikeThis". Does the
> shutdown password take symbols and numbers or at least hyphenated words?
>
We've never had occasion to use the password, because we disable shutdown
(the better option).
However, my best guess one could use anything. One could check the source
code, or better yet, set up a Dev instance and give it a quick test - a 15
minute exercise at most.
>