On Fri, May 8, 2020 at 9:07 PM calder <calder....@gmail.com> wrote: > > On Fri, May 8, 2020, 19:20 Robert Hicks <robert.hi...@gmail.com> wrote: >> >> I am trying to find what the password complexity can be. I've looked at >> several hardening guides and they are all "WordsLikeThis". Does the >> shutdown password take symbols and numbers or at least hyphenated words? > > > We've never had occasion to use the password, because we disable shutdown > (the better option). > > However, my best guess one could use anything. One could check the source > code, or better yet, set up a Dev instance and give it a quick test - a 15 > minute exercise at most.
Gave it a test. In server.xml, we have <Server port="8005" shutdown="fdsa$#@JKL:^" > and then fire it up user@stimpy:~/bin/apache-tomcat/bin> ./catalina.sh start > log.log 2>&1 user@stimpy:~/bin/apache-tomcat/bin> ps aux | grep java user 7223 531 1.2 21006280 812812 pts/2 Sl 23:22 0:13 /home/ [ ... ] user@stimpy:~/bin/apache-tomcat/bin> ./shutdown.sh stop user@stimpy:~/bin/apache-tomcat/bin> ps aux | grep "bin/java" [ no response ] If we start up TC and change server.xml entry to (removed one char at end) <Server port="8005" shutdown="fdsa$#@JKL:"> TC won't shut down. Keep in mind - some characters won't work like & or ( or ) - at least on Unix-style OSes as the shell may want to interpret them. Experiment with whatever chars you want. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
