axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bram Biesbrouck...@beligum.org>
Subject Re: Axis2 security flaw?
Date Thu, 18 May 2006 19:05:56 GMT
In this light:

chmodding the whole axis2 directory to 600 isn't a good practice, since it 
must remain accessible (chmod -x to a directory prevents access).

Is it sufficient to chmod conf/axis.xml to read-only, or are there other files 
that must be protected?

Bram

Op Friday 12 mei 2006 20:43, schreef Ruchith Fernando:
> When building the "axis2.war" we use the ant:war [1] task and this is
> an extension of the ant:jar task[2]. The ant:jar task is not capable
> of preserving the file permissions hence I believe war task inherits
> the same incapability.
>
> The only way to preserve preserve file permissions that I have come
> across is using the ant:tar task :[3].
>
> Any suggestions to build the war while preserving file permissions?
>
> Thanks,
> Ruchith
>
> [1] http://ant.apache.org/manual/CoreTasks/war.html
> [2] http://ant.apache.org/manual/CoreTasks/jar.html
> [3] http://ant.apache.org/manual/CoreTasks/tar.html
>
> On 5/12/06, robert lazarski <robertlazarski@gmail.com> wrote:
> > Thinking about this a little more, actually you're right. Looking at
> > tomcat - which you seem to be using - all the files under conf are
> > already set to 600. Could you file a jira?
> >
> >
> >  Robert
> >  http://www.braziloutsource.com/
> >
> > On 5/12/06, Bram Biesbrouck <b@beligum.org> wrote:
> > > I know, but why doesn't the default behaviour doesn't do that?
> > > I guess there are a LOT of servers out there with that file in the
> > > open...
> > >
> > > b.
> > >
> > > Op Friday 12 mei 2006 16:30, schreef robert lazarski:
> > > > Try:
> > > >
> > > > chmod 600 /var/lib/tomcat4/webapps/axis2
> > > >
> > > > > /WEB-INF/conf/axis2.xml
> > > >
> > > > That'll make the file read / writable by only the owner. Other
> > > > accounts won't be able to access it.
> > > >
> > > > To make it read-only by only the ownew:
> > > >
> > > > chmod 400 /var/lib/tomcat4/webapps/axis2
> > > >
> > > > > /WEB-INF/conf/axis2.xml
> > > >
> > > > HTH,
> > > > Robert
> > > > http://www.braziloutsource.com/
> > > >
> > > > On 5/12/06, Bram Biesbrouck <b@beligum.org> wrote:
> > > > > Hi all,
> > > > >
> > > > > When I deploy axis2.war in Tomcat, the file
> > > > >
> > > > > /var/lib/tomcat4/webapps/axis2/WEB-INF/conf/axis2.xml
> > > > > (where the admin-pass is stored)
> > > > >
> > > > > is readable by all users on the system.
> > > > > I'm using Debian sarge (stable).
> > > > >
> > > > > Am I missing something or is this a serious security issue?
> > > > >
> > > > > Bram

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org


Mime
View raw message