axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ruchith Fernando" <ruchith.ferna...@gmail.com>
Subject Re: Axis2 security flaw?
Date Fri, 12 May 2006 18:43:46 GMT
When building the "axis2.war" we use the ant:war [1] task and this is
an extension of the ant:jar task[2]. The ant:jar task is not capable
of preserving the file permissions hence I believe war task inherits
the same incapability.

The only way to preserve preserve file permissions that I have come
across is using the ant:tar task :[3].

Any suggestions to build the war while preserving file permissions?

Thanks,
Ruchith

[1] http://ant.apache.org/manual/CoreTasks/war.html
[2] http://ant.apache.org/manual/CoreTasks/jar.html
[3] http://ant.apache.org/manual/CoreTasks/tar.html

On 5/12/06, robert lazarski <robertlazarski@gmail.com> wrote:
> Thinking about this a little more, actually you're right. Looking at tomcat
> - which you seem to be using - all the files under conf are already set to
> 600. Could you file a jira?
>
>
>  Robert
>  http://www.braziloutsource.com/
>
>
> On 5/12/06, Bram Biesbrouck <b@beligum.org> wrote:
> > I know, but why doesn't the default behaviour doesn't do that?
> > I guess there are a LOT of servers out there with that file in the open...
> >
> > b.
> >
> > Op Friday 12 mei 2006 16:30, schreef robert lazarski:
> > > Try:
> > >
> > > chmod 600 /var/lib/tomcat4/webapps/axis2
> > >
> > > > /WEB-INF/conf/axis2.xml
> > >
> > > That'll make the file read / writable by only the owner. Other accounts
> > > won't be able to access it.
> > >
> > > To make it read-only by only the ownew:
> > >
> > > chmod 400 /var/lib/tomcat4/webapps/axis2
> > >
> > > > /WEB-INF/conf/axis2.xml
> > >
> > > HTH,
> > > Robert
> > > http://www.braziloutsource.com/
> > >
> > > On 5/12/06, Bram Biesbrouck <b@beligum.org> wrote:
> > > > Hi all,
> > > >
> > > > When I deploy axis2.war in Tomcat, the file
> > > >
> > > > /var/lib/tomcat4/webapps/axis2/WEB-INF/conf/axis2.xml
> > > > (where the admin-pass is stored)
> > > >
> > > > is readable by all users on the system.
> > > > I'm using Debian sarge (stable).
> > > >
> > > > Am I missing something or is this a serious security issue?
> > > >
> > > > Bram
> >
>
>

Mime
View raw message