Thread: [TM4J-users] security flaw in install_hibernate.txt?

Status: Alpha

Brought to you by: c_froehlich, conal_tuohy, ifurusato, kal_ahmed

tm4j-users

[TM4J-users] security flaw in install_hibernate.txt?

From: <mag...@st...> - 2006-05-26 12:33:24

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've just read through the
http://tm4j.org/tm4j/docs/install_hibernate.txt and I think there's
something fishy about some of the stuff in there:

- ----------------
mysql> GRANT ALL PRIVILEGES ON *.* TO 'tm4j'@'localhost'
    ->     IDENTIFIED BY 'some_pass' WITH GRANT OPTION;
mysql> GRANT ALL PRIVILEGES ON *.* TO 'tm4j'@'%'
    ->     IDENTIFIED BY 'some_pass' WITH GRANT OPTION;
- ----------------

I can't see why tm4j should get root privileges? Wouldn't it be better
to grant tm4j access to the database tm4j  (tm4j.*) and create this db
before granting privileges to users, and not afterwards like in the howto?
Further, it should be pointed out that granting access to tm4j@'%' is
_only_ necessary if the db is not running at localhost.

- --
best regards
Magnus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iD8DBQFEdvWJB6/gap0IM6sRAjD+AJ0UzeEWYvWF3LzaxaudROcWpRAg6ACgk2XV
oq8lNr9a7bJfryZjAOOUSo0=
=Jenl
-----END PGP SIGNATURE-----

Re: [TM4J-users] security flaw in install_hibernate.txt?

From: Kal A. <ka...@te...> - 2006-05-29 11:34:32

Agreed the security could be made tighter. I think that the goal of this=20
document is about how to get something up and running in a development=20
environment rather than how to get a live deployment running. To be=20
honest, I still think of the Hibernate backend as a development=20
environment as it has so many flaws (like not supporting tolog querying=20
and being s-l-o-o-o-w).

I would be happy to see someone write a proper installation guide for=20
TM4J/Hibernate/MySQL (I guess that MySQL would be the most commonly used=20
database), but preferably in Docbook format so that it could go into the=20
  rest of the "standard" docs.

Cheers

Kal

Magnus Folger=F8 wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> I've just read through the
> http://tm4j.org/tm4j/docs/install_hibernate.txt and I think there's
> something fishy about some of the stuff in there:
>=20
> - ----------------
> mysql> GRANT ALL PRIVILEGES ON *.* TO 'tm4j'@'localhost'
>     ->     IDENTIFIED BY 'some_pass' WITH GRANT OPTION;
> mysql> GRANT ALL PRIVILEGES ON *.* TO 'tm4j'@'%'
>     ->     IDENTIFIED BY 'some_pass' WITH GRANT OPTION;
> - ----------------
>=20
> I can't see why tm4j should get root privileges? Wouldn't it be better
> to grant tm4j access to the database tm4j  (tm4j.*) and create this db
> before granting privileges to users, and not afterwards like in the how=
to?
> Further, it should be pointed out that granting access to tm4j@'%' is
> _only_ necessary if the db is not running at localhost.
>=20
> - --
> best regards
> Magnus
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org
>=20
> iD8DBQFEdvWJB6/gap0IM6sRAjD+AJ0UzeEWYvWF3LzaxaudROcWpRAg6ACgk2XV
> oq8lNr9a7bJfryZjAOOUSo0=3D
> =3DJenl
> -----END PGP SIGNATURE-----
>=20
>=20
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications=
 in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D107521&bid=3D248729&dat=
=3D121642
> _______________________________________________
> Tm4j-users mailing list
> Tm4...@li...
> https://lists.sourceforge.net/lists/listinfo/tm4j-users
>=20
>=20

Re: [TM4J-users] security flaw in install_hibernate.txt?

From: <mag...@st...> - 2006-05-29 11:53:44

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Kal Ahmed wrote:
> Agreed the security could be made tighter. I think that the goal of this
> document is about how to get something up and running in a development
> environment rather than how to get a live deployment running. To be
> honest, I still think of the Hibernate backend as a development
> environment as it has so many flaws (like not supporting tolog querying
> and being s-l-o-o-o-w).

...so I migth be better off just using the In-memory Backend?


> I would be happy to see someone write a proper installation guide for
> TM4J/Hibernate/MySQL (I guess that MySQL would be the most commonly used
> database), but preferably in Docbook format so that it could go into the
>  rest of the "standard" docs.
> 
> Cheers
> 
> Kal
> 
> Magnus Folgerø wrote:
> I've just read through the
> http://tm4j.org/tm4j/docs/install_hibernate.txt and I think there's
> something fishy about some of the stuff in there:
> 
> ----------------
> mysql> GRANT ALL PRIVILEGES ON *.* TO 'tm4j'@'localhost'
>     ->     IDENTIFIED BY 'some_pass' WITH GRANT OPTION;
> mysql> GRANT ALL PRIVILEGES ON *.* TO 'tm4j'@'%'
>     ->     IDENTIFIED BY 'some_pass' WITH GRANT OPTION;
> ----------------
> 
> I can't see why tm4j should get root privileges? Wouldn't it be better
> to grant tm4j access to the database tm4j  (tm4j.*) and create this db
> before granting privileges to users, and not afterwards like in the
> howto?
> Further, it should be pointed out that granting access to tm4j@'%' is
> _only_ necessary if the db is not running at localhost.
> 
> --
> best regards
> Magnus
>>
>>
- -------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat
certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Tm4j-users mailing list
Tm4...@li...
https://lists.sourceforge.net/lists/listinfo/tm4j-users
>>
>>

> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=k&kid7521&bid$8729&dat1642
> _______________________________________________
> Tm4j-users mailing list
> Tm4...@li...
> https://lists.sourceforge.net/lists/listinfo/tm4j-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iD8DBQFEeuC9B6/gap0IM6sRAjacAJ9JDyBXgkoSNT9GDhUvRz0IPFmWaQCfVUjw
IcAxfLO5qSVjAoKAOr9+Jek=
=fB9i
-----END PGP SIGNATURE-----