Bug 178165 - Insecure storage of server admin passwords
Insecure storage of server admin passwords
Status: VERIFIED FIXED
Product: serverplugins
Classification: Unclassified
Component: Infrastructure
6.x
All All
: P2 (vote)
: 7.0.1
Assigned To: Petr Hejl
issues@serverplugins
: 7.0_WAIVER_APPROVED
Depends on: 173413
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-04 12:52 UTC by Jesse Glick
Modified: 2011-05-12 11:14 UTC (History)
4 users (show)

See Also:
Issue Type: DEFECT
:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jesse Glick 2009-12-04 12:52:29 UTC
At least in the case of GFv2, admin passwords for Java EE servers seem to be stored insecurely in the userdir:

---%<--- glassfish.properties
...
sjsas.password=adminadmin
...
---%<--- config/J2EE/InstalledServers/.nbattrs
...
        <attr name="password" stringvalue="adminadmin"/>
...
---%<---

Such passwords should be stored in a secure keyring (see pending API). For compatibility, when encountering the old settings format, read the password, save it to the keyring, and then delete it from disk.

o.n.m.j2ee.deployment.impl.ServerRegistry.addInstance/writeInstanceToFile seems to be responsible for the J2EE/InstalledServers storage. Might as well switch to NbPreferences while you're at it; persisting settings in .nbattrs files is rather unpleasant. o.n.m.j2ee.sun.ide.j2ee.PluginProperties.registerDefaultDomain looks like it needs to change as well, maybe others.

glassfish.properties seems to come from o.n.m.j2ee.sun.ide.dm.SunDeploymentManager.storeAntDeploymentProperties. You need to find some way to send the password information to Ant without storing it in a file first - especially one that is world-readable and kept at all times in the userdir! Passing -Dserver.password=... on the command line is better, though including passwords in argv is generally considered poor practice too (e.g. 'jps -lm' reveals them).
Comment 1 Vince Kraemer 2010-02-01 09:25:41 UTC
it is mine now
Comment 2 Vince Kraemer 2010-02-10 07:29:21 UTC
I will help finish the propagation of the Keyring api into the j2ee.sun.* modules for 6.9...
Comment 3 Jesse Glick 2010-02-10 10:34:41 UTC
I categorized all such issues as DEFECTs since the current state may permit user passwords to be compromised.
Comment 4 Vince Kraemer 2010-02-16 17:06:40 UTC
http://hg.netbeans.org/web-main/rev/3a6c4e72612e
Comment 5 Jesse Glick 2010-02-16 17:15:56 UTC
Looks reasonable from what I can understand. Minor comments:

- key description need not start with ' '

- GlassfishModule.PASSWORD_CONVERTED_FLAG is odd; generally you would simply delete the password from old storage after conversion. But perhaps there is some reason for doing it this way that is specific to server config files.
Comment 6 Quality Engineering 2010-02-17 22:00:30 UTC
Integrated into 'main-golden', will be available in build *201002180200* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main/rev/3a6c4e72612e
User: vince kraemer <vkraemer@netbeans.org>
Log: #178165: use the keyring for the admin passwords
Comment 7 Petr Hejl 2011-04-07 09:49:03 UTC
We have to do this for other servers as well.
Comment 8 Petr Jiricka 2011-04-08 09:14:32 UTC
This is really a P2 *defect*, needs to be fixed for 7.0.1.
Comment 9 Petr Hejl 2011-04-08 11:13:16 UTC
Fixed in web-main ea5a6231a5d8 and 519d03495203.
Comment 10 Quality Engineering 2011-04-09 08:40:01 UTC
Integrated into 'main-golden', will be available in build *201104090401* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main/rev/ea5a6231a5d8
User: phejl@netbeans.org
Log: #178165 Insecure storage of server admin passwords
Comment 11 Petr Hejl 2011-04-11 13:57:18 UTC
Avoid EDT usage: web-main fead1e05a030.
Comment 12 Quality Engineering 2011-04-12 08:41:54 UTC
Integrated into 'main-golden', will be available in build *201104120401* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main/rev/fead1e05a030
User: phejl@netbeans.org
Log: #178165 Insecure storage of server admin passwords
Comment 13 Quality Engineering 2011-04-13 08:42:49 UTC
Integrated into 'main-golden', will be available in build *201104130401* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main/rev/3a5d840491bd
User: phejl@netbeans.org
Log: #178165 Insecure storage of server admin passwords - deadlock fix
Comment 14 Quality Engineering 2011-04-21 04:56:43 UTC
Integrated into 'main-golden', will be available in build *201104210000* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main/rev/cb99fb87b64f
User: phejl@netbeans.org
Log: #178165 Insecure storage of server admin passwords - deadlock fix
Comment 15 Jiri Skrivanek 2011-05-03 08:39:06 UTC
For Tomcat server the password is still stored in <userdir>/tomcat.properties for headless deployment. Please, do not store the password and rather modify ant-deploy.xml script to print warning that user has to provide password himself to be able to deploy from command line (Jesse already pointed this out in the last paragraph of the original description). Affected source file:

tomcat5\src\org\netbeans\modules\tomcat5\AntDeploymentProviderImpl.java

Moreover headless deployment is not working and needs to be fixed (see bug 198271).
Comment 16 Petr Hejl 2011-05-03 09:17:13 UTC
Fixed in web-main 187973203f7b.
Comment 17 Quality Engineering 2011-05-05 06:19:22 UTC
Integrated into 'main-golden', will be available in build *201105050000* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main/rev/187973203f7b
User: phejl@netbeans.org
Log: #178165 Insecure storage of server admin passwords
Comment 18 Jiri Skrivanek 2011-05-05 08:37:08 UTC
Verified in trunk build 201105050000. Please, merge to 70 patch 1 branch.
Comment 19 Petr Hejl 2011-05-05 08:44:01 UTC
(In reply to comment #18)
> Verified in trunk build 201105050000. Please, merge to 70 patch 1 branch.
That would mean merging all previous patches and deadlock fixes. That seems too risky to me. Do we really want to do that for patch 1?
Comment 20 Quality Engineering 2011-05-07 05:35:51 UTC
Integrated into 'main-golden', will be available in build *201105070000* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main/rev/4406cc376cdb
User: phejl@netbeans.org
Log: #178165 Insecure storage of server admin passwords


By use of this website, you agree to the NetBeans Policies and Terms of Use. © 2012, Oracle Corporation and/or its affiliates. Sponsored by Oracle logo