Re: [TM4J-users] security flaw in install_hibernate.txt?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Agreed the security could be made tighter. I think that the goal of this=20
document is about how to get something up and running in a development=20
environment rather than how to get a live deployment running. To be=20
honest, I still think of the Hibernate backend as a development=20
environment as it has so many flaws (like not supporting tolog querying=20
and being s-l-o-o-o-w).

I would be happy to see someone write a proper installation guide for=20
TM4J/Hibernate/MySQL (I guess that MySQL would be the most commonly used=20
database), but preferably in Docbook format so that it could go into the=20
  rest of the "standard" docs.

Cheers

Kal

Magnus Folger=F8 wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> I've just read through the
> http://tm4j.org/tm4j/docs/install_hibernate.txt and I think there's
> something fishy about some of the stuff in there:
>=20
> - ----------------
> mysql> GRANT ALL PRIVILEGES ON *.* TO 'tm4j'@'localhost'
>     ->     IDENTIFIED BY 'some_pass' WITH GRANT OPTION;
> mysql> GRANT ALL PRIVILEGES ON *.* TO 'tm4j'@'%'
>     ->     IDENTIFIED BY 'some_pass' WITH GRANT OPTION;
> - ----------------
>=20
> I can't see why tm4j should get root privileges? Wouldn't it be better
> to grant tm4j access to the database tm4j  (tm4j.*) and create this db
> before granting privileges to users, and not afterwards like in the how=
to?
> Further, it should be pointed out that granting access to tm4j@'%' is
> _only_ necessary if the db is not running at localhost.
>=20
> - --
> best regards
> Magnus
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org
>=20
> iD8DBQFEdvWJB6/gap0IM6sRAjD+AJ0UzeEWYvWF3LzaxaudROcWpRAg6ACgk2XV
> oq8lNr9a7bJfryZjAOOUSo0=3D
> =3DJenl
> -----END PGP SIGNATURE-----
>=20
>=20
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications=
 in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D107521&bid=3D248729&dat=
=3D121642
> _______________________________________________
> Tm4j-users mailing list
> Tm4...@li...
> https://lists.sourceforge.net/lists/listinfo/tm4j-users
>=20
>=20