#2972: GUMS catalina.out log in 1.8.1 w/gums password

#

Thu Sep 20 12:44:07 2007

weigand@fnal.gov - Ticket created

Subject:	GUMS catalina.out log in 1.8.1 w/gums password
Date:	Thu, 20 Sep 2007 12:37:56 -0500
To:	vdt-support <vdt-support@OPENSCIENCEGRID.ORG>
From:	John Weigand <weigand@fnal.gov>

Download (untitled) / with headers
text/plain 1.5k

In the VDT 1.8.1 distribution of GUMS I noticed that the password to
the GUMS database is being displayed in the catalina.out log file on
startup I presume. In the catalina.out listing below, I have replaced
my gums password with 'XXXXXXXXXX' for obvious reasons.

I cannot figure out if any specific function is causing it, or if it
just during an initialization of a thread.

I do run the 'gums poolAddRange' right after start up, but it does not
appear every time.

John Weigand

INFO: Find registry server-registry.xml at classpath resource
Sep 20, 2007 11:18:33 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 6098 ms
Initializing c3p0 pool...
com.mchange.v2.c3p0.PoolBackedDataSource@5646a5 [
connectionPoolDataSource ->
com.mchange.v2.c3p0.WrapperConnectionPoolDataSource@3c35fd [
acquireIncrement -> 1, autoCommitOnClose -> false,
connectionTesterClassName ->
com.mchange.v2.c3p0.impl.DefaultConnectionTester, factoryClassLocation
-> null, forceIgnoreUnresolvedTransactions -> false,
idleConnectionTestPeriod -> 0, initialPoolSize -> 3, maxIdleTime ->
180, maxPoolSize -> 20, maxStatements -> 0, minPoolSize -> 3,
nestedDataSource -> com.mchange.v2.c3p0.DriverManagerDataSource@381a9c
[ description -> null, driverClass -> null, factoryClassLocation ->
null, jdbcUrl -> jdbc:mysql://cms-xen4.fnal.gov:49151/GUMS_1_1,
properties -> {autoReconnect=true, user=gums, password=XXXXXXXXXX} ] ,
propertyCycle -> 300, testConnectionOnCheckout -> false ] ,
factoryClassLocation -> null, numHelperThreads -> 3 ]

#	Thu Sep 20 14:51:38 2007	roy - Taken

#	Thu Sep 20 14:52:40 2007	roy - Priority changed from (no value) to '4'

#	Thu Sep 20 14:52:47 2007	roy - Cc packard@bnl.gov added

#	Thu Sep 20 14:55:03 2007	roy - Correspondence added		[Reply]
	Download (untitled) / with headers text/plain 612b > In the VDT 1.8.1 distribution of GUMS I noticed that the password to > the GUMS database is being displayed in the catalina.out log file on > startup I presume. In the catalina.out listing below, I have replaced > my gums password with 'XXXXXXXXXX' for obvious reasons. Hi John, I've confirmed that this happens: it happened in our nightly tests as well. I've added Jay Packard to the ticket as well, and I've been talking to him about it (outside of this ticket) as well. It's not immediately obvious to Jay how to remove the password from the file: we'll see what he comes up with. Thanks, -alain

#	Thu Sep 20 14:55:04 2007	RT_System - Status changed from 'new' to 'open'

#	Mon Sep 24 16:11:01 2007	roy - Correspondence added		[Reply]
	Download (untitled) / with headers text/plain 734b Jay-- Have you found any possible workarounds for this problem? Thanks, -alain > > In the VDT 1.8.1 distribution of GUMS I noticed that the password to > > the GUMS database is being displayed in the catalina.out log file on > > startup I presume. In the catalina.out listing below, I have replaced > > my gums password with 'XXXXXXXXXX' for obvious reasons. > > Hi John, > > I've confirmed that this happens: it happened in our nightly tests as well. > > I've added Jay Packard to the ticket as well, and I've been talking to > him about it (outside of this ticket) as well. > > It's not immediately obvious to Jay how to remove the password from the > file: we'll see what he comes up with. > > Thanks, > -alain > >

#	Thu Sep 27 20:58:41 2007	roy - Comments added		[Reply]
	Download (untitled) / with headers text/plain 417b Note: not too serious for most sites, because MySQL database is only accessible on GUMS computer, which is usually separate for CE. More serious on sites where GUMS is on CE. Proposal: make catalina.out only readable by the Tomcat user. Rough logic: if installing as root touch catalina.out chown daemon.daemon catalina.out chmod 700 catalina.out We need to verify that this doesn't break anything.

#	Fri Sep 28 15:56:44 2007	cat - Stolen from roy

#

Mon Oct 01 14:41:11 2007

cat - Comments added

[Reply]

Subject:	[vdt-support #2972] SVN commit, rev 6708
To:	vdt-support@cs.wisc.edu
From:	cat@cs.wisc.edu

Download (untitled) / with headers
text/plain 443b

Commit comment:
Made catalina.out owned by Tomcat user and have 0700 permissions; all this to
prevent people from looking in the file for passwords and such. Added the
appropriate exception to the install tests.

Changed files:
U vdt/branches/vdt-1.8.1/Configure-Tomcat/vdt/setup/configure_tomcat
U vdt/branches/vdt-1.8.1/VDT-Certification-Tests/vdt/tests/tests/install.t

To generate a diff:
svn diff -c 6708 file:///p/vdt/workspace/svn

#

Mon Oct 01 15:58:14 2007

cat - Comments added

[Reply]

Subject:	[vdt-support #2972] SVN commit, rev 6709
To:	vdt-support@cs.wisc.edu
From:	cat@cs.wisc.edu

Download (untitled) / with headers
text/plain 218b

Commit comment:
Whoops, meant to use 0600 permissions, not 0700.

Changed files:
U vdt/branches/vdt-1.8.1/Configure-Tomcat/vdt/setup/configure_tomcat

To generate a diff:
svn diff -c 6709 file:///p/vdt/workspace/svn

#	Tue Oct 02 09:38:34 2007	cat - Correspondence added		[Reply]
	Download (untitled) / with headers text/plain 295b Starting in VDT 1.8.1a (update instructions will be posted), the Tomcat configuration code now always touches catalina.out, changes the owner to the Tomcat user (current daemon) if running as root, and always changes permissions to 0600. The correct behavior has been verified in nightly tests.

#	Tue Oct 02 09:38:35 2007	cat - Status changed from 'open' to 'resolved'

#	Tue Oct 02 09:52:59 2007	cat - Fixed in 1.8.1a added