You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rob Tanner <rt...@cheshire.onlinemac.com> on 2001/03/01 17:01:41 UTC
Protecting mysql access (was: re: mySQL again)
Slightly off topic, but important!
Having seen way too much in terms of hacking and system compromises,
might I suggest you create another, and far less privileged user than
root, for accessing mysql. Unless you've gone into the grant tables
and creatd a different mysql superuser and reduced root's priv, then
the root login to mysql is like root on unix, superuser, God, etc. If
multiple users have shell access to the tomcat host system, and those
same users are not authorized as mysql root, than I know of no way to
keep unauthorized eyes from looking at the server.xml file other than
by making it sysroot protected. But to do that, you need to run tomcat
under root.
If anyone has a good mechanism for securing the server's and/or
servlet's credential for db access, I'd certainly love to hear it.
That issue has been my one and only thorn in the side since I began
switching for perl/cgi (where the solution to that issue is a
no-brainer) to using tomcat.
-- Rob
--On Thursday, March 01, 2001 10:19:13 AM +0100 leak@gmx.at wrote:
>> Hi!
>> My connectionURL in server.xml now looks like this:
>> "jdbc:mysql://localhost/auth?user=root&password=somepassword"
>>
>> and tomcat doesn't start up (although there is no error msg or
>> anything) and when i execute tomcat stop i get the following
>> exception:
>> org.xml.sax.SAXParseException: Next character must be ";" terminating
>> reference to entity "password" and a stack trace follows...
>>
>> why is that?
>
> I guess you should escape the "&" character in your connectionURL by
> replacing it with "&", as the XML parser will parse entities like
> "<" or ""e;" or things like that...
>
> Try
>
> jdbc:mysql://localhost/auth?user=root&password=somepassword
>
> instead, that should work...
>
> np: Flanger - Nightbeat 1 (Midnight Sound)
>
> ---------------------------------------------------------------------
> Sent through MailGateway - http://www.ssw.uni-linz.ac.at:2000/
> Send or read your emails anywhere.
> ---------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-user-help@jakarta.apache.org
>
_ _ _ _ _ _ _ _ _ _
/\_\_\_\_\ /\_\ /\_\_\_\_\_\
/\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM SIT,
/\/_/__\/_/ __ /\/_/ /\/_/ PROFUNDUM VIDITUR
/\/_/_/_/_/ /\_\ /\/_/ /\/_/
/\/_/ \/_/ /\/_/_/\/_/ /\/_/ (Whatever is said in Latin
\/_/ \/_/ \/_/_/_/_/ \/_/ appears profound)
Rob Tanner
McMinnville, Oregon
rtanner@cheshire.onlinemac.com
Re: Protecting mysql access (was: re: mySQL again)
Posted by Rob Tanner <rt...@cheshire.onlinemac.com>.
But that doesn't address the basic issue. If you have login privs on
the machine and a shell account, or you've managed to sniff a password
of someone who does, etc, than you have a potential security hole.
Remember also, that more damage in terms of dallar value comes from
inside, from those very folks you trust. The whole point of my post
was that without locking down server.xml as root readable only, there's
a good chance a user with ordinary privs might successfully read it --
this is a localhost, not a network issue. And other than running
tomcat under root, I don't know of any sure file way to secure the db
credentials tomcat and/or various servlets require to access the
database (and, of course, the same is true whether it's mysql, oracle,
sybase, postgres, etc, etc, etc). As far as you comment that in that
case one has "other security problems besides MySQL!", I can't agree
more. But at the same time, should you make matters worse by making
the db root password readily available to snooping eyes?
-- Rob
--On Thursday, March 01, 2001 08:51:09 AM -0800 Rick Herrick
<ri...@violetshivers.com> wrote:
> On our server, we basically grant NO remote access privileges to ANY
> users, including root. This means that any access to the database
> has to be done from the localhost. So instead of doing the two
> normal grants you might do, like this:
>
> GRANT SELECT,INSERT,UPDATE ON *.* TO soandso@localhost IDENTIFIED BY
> 'password'; GRANT SELECT,INSERT,UPDATE ON *.* TO soandso@"%"
> IDENTIFIED BY 'password';
>
> The first allows access from the localhost. The second allows remote
> access. Just don't do the second. Then someone has to hack in and
> get local access to the database somehow and if they can do that,
> then you've got other security problems besides MySql!
>
> At 08:01 AM 3/1/2001 -0800, you wrote:
>> Slightly off topic, but important!
>>
>> Having seen way too much in terms of hacking and system compromises,
>> might I suggest you create another, and far less privileged user
>> than root, for accessing mysql. Unless you've gone into the grant
>> tables and creatd a different mysql superuser and reduced root's
>> priv, then the root login to mysql is like root on unix, superuser,
>> God, etc. If multiple users have shell access to the tomcat host
>> system, and those same users are not authorized as mysql root, than
>> I know of no way to keep unauthorized eyes from looking at the
>> server.xml file other than by making it sysroot protected. But to
>> do that, you need to run tomcat under root.
>>
>> If anyone has a good mechanism for securing the server's and/or
>> servlet's credential for db access, I'd certainly love to hear it.
>> That issue has been my one and only thorn in the side since I began
>> switching for perl/cgi (where the solution to that issue is a
>> no-brainer) to using tomcat.
>>
>> -- Rob
>>
>> --On Thursday, March 01, 2001 10:19:13 AM +0100 leak@gmx.at wrote:
>>
>>>> Hi!
>>>> My connectionURL in server.xml now looks like this:
>>>> "jdbc:mysql://localhost/auth?user=root&password=somepassword"
>>>>
>>>> and tomcat doesn't start up (although there is no error msg or
>>>> anything) and when i execute tomcat stop i get the following
>>>> exception:
>>>> org.xml.sax.SAXParseException: Next character must be ";"
>>>> terminating reference to entity "password" and a stack trace
>>>> follows...
>>>>
>>>> why is that?
>>>
>>> I guess you should escape the "&" character in your connectionURL by
>>> replacing it with "&", as the XML parser will parse entities
>>> like "<" or ""e;" or things like that...
>>>
>>> Try
>>>
>>> jdbc:mysql://localhost/auth?user=root&password=somepassword
>>>
>>> instead, that should work...
>>>
>>> np: Flanger - Nightbeat 1 (Midnight Sound)
>>>
>>> -------------------------------------------------------------------
>>> -- Sent through MailGateway - http://www.ssw.uni-linz.ac.at:2000/
>>> Send or read your emails anywhere.
>>> -------------------------------------------------------------------
>>> --
>>>
>>> -------------------------------------------------------------------
>>> -- To unsubscribe, e-mail:
>>> tomcat-user-unsubscribe@jakarta.apache.org For additional commands,
>>> email: tomcat-user-help@jakarta.apache.org
>>
>>
>>
>>
>> _ _ _ _ _ _ _ _ _ _
>> /\_\_\_\_\ /\_\ /\_\_\_\_\_\
>> /\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM SIT,
>> /\/_/__\/_/ __ /\/_/ /\/_/ PROFUNDUM VIDITUR
>> /\/_/_/_/_/ /\_\ /\/_/ /\/_/
>> /\/_/ \/_/ /\/_/_/\/_/ /\/_/ (Whatever is said in Latin
>> \/_/ \/_/ \/_/_/_/_/ \/_/ appears profound)
>>
>> Rob Tanner
>> McMinnville, Oregon
>> rtanner@cheshire.onlinemac.com
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, email: tomcat-user-help@jakarta.apache.org
>>
>
> --
> Rick Herrick
> rick@violetshivers.com
> Nothing is amusing in zero gravity...
> PGP: http://www.rickherrick.com/pgpkey
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-user-help@jakarta.apache.org
>
_ _ _ _ _ _ _ _ _ _
/\_\_\_\_\ /\_\ /\_\_\_\_\_\
/\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM SIT,
/\/_/__\/_/ __ /\/_/ /\/_/ PROFUNDUM VIDITUR
/\/_/_/_/_/ /\_\ /\/_/ /\/_/
/\/_/ \/_/ /\/_/_/\/_/ /\/_/ (Whatever is said in Latin
\/_/ \/_/ \/_/_/_/_/ \/_/ appears profound)
Rob Tanner
McMinnville, Oregon
rtanner@cheshire.onlinemac.com
Re: Protecting mysql access (was: re: mySQL again)
Posted by Rick Herrick <ri...@violetshivers.com>.
On our server, we basically grant NO remote access privileges to ANY users,
including root. This means that any access to the database has to be done
from the localhost. So instead of doing the two normal grants you might
do, like this:
GRANT SELECT,INSERT,UPDATE ON *.* TO soandso@localhost IDENTIFIED BY
'password';
GRANT SELECT,INSERT,UPDATE ON *.* TO soandso@"%" IDENTIFIED BY 'password';
The first allows access from the localhost. The second allows remote
access. Just don't do the second. Then someone has to hack in and get
local access to the database somehow and if they can do that, then you've
got other security problems besides MySql!
At 08:01 AM 3/1/2001 -0800, you wrote:
>Slightly off topic, but important!
>
>Having seen way too much in terms of hacking and system compromises, might
>I suggest you create another, and far less privileged user than root, for
>accessing mysql. Unless you've gone into the grant tables and creatd a
>different mysql superuser and reduced root's priv, then the root login to
>mysql is like root on unix, superuser, God, etc. If multiple users have
>shell access to the tomcat host system, and those same users are not
>authorized as mysql root, than I know of no way to keep unauthorized eyes
>from looking at the server.xml file other than by making it sysroot
>protected. But to do that, you need to run tomcat under root.
>
>If anyone has a good mechanism for securing the server's and/or servlet's
>credential for db access, I'd certainly love to hear it. That issue has
>been my one and only thorn in the side since I began switching for
>perl/cgi (where the solution to that issue is a no-brainer) to using tomcat.
>
>-- Rob
>
>--On Thursday, March 01, 2001 10:19:13 AM +0100 leak@gmx.at wrote:
>
>>>Hi!
>>>My connectionURL in server.xml now looks like this:
>>>"jdbc:mysql://localhost/auth?user=root&password=somepassword"
>>>
>>>and tomcat doesn't start up (although there is no error msg or
>>>anything) and when i execute tomcat stop i get the following
>>>exception:
>>>org.xml.sax.SAXParseException: Next character must be ";" terminating
>>>reference to entity "password" and a stack trace follows...
>>>
>>>why is that?
>>
>>I guess you should escape the "&" character in your connectionURL by
>>replacing it with "&", as the XML parser will parse entities like
>>"<" or ""e;" or things like that...
>>
>>Try
>>
>>jdbc:mysql://localhost/auth?user=root&password=somepassword
>>
>>instead, that should work...
>>
>>np: Flanger - Nightbeat 1 (Midnight Sound)
>>
>>---------------------------------------------------------------------
>>Sent through MailGateway - http://www.ssw.uni-linz.ac.at:2000/
>>Send or read your emails anywhere.
>>---------------------------------------------------------------------
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, email: tomcat-user-help@jakarta.apache.org
>
>
>
>
> _ _ _ _ _ _ _ _ _ _
> /\_\_\_\_\ /\_\ /\_\_\_\_\_\
> /\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM SIT,
> /\/_/__\/_/ __ /\/_/ /\/_/ PROFUNDUM VIDITUR
> /\/_/_/_/_/ /\_\ /\/_/ /\/_/
> /\/_/ \/_/ /\/_/_/\/_/ /\/_/ (Whatever is said in Latin
> \/_/ \/_/ \/_/_/_/_/ \/_/ appears profound)
>
> Rob Tanner
> McMinnville, Oregon
> rtanner@cheshire.onlinemac.com
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, email: tomcat-user-help@jakarta.apache.org
>
--
Rick Herrick
rick@violetshivers.com
Nothing is amusing in zero gravity...
PGP: http://www.rickherrick.com/pgpkey