tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 11584] New: - Configuration files owned by tomcat3 not root
Date Fri, 09 Aug 2002 09:37:12 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11584>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11584

Configuration files owned by tomcat3 not root

           Summary: Configuration files owned by tomcat3 not root
           Product: Tomcat 3
           Version: 3.3 Final
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Major
          Priority: Other
         Component: Unknown
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: pete@idnet.net.uk


tomcat 3.3.1 when installed from rpm runs as user tomcat3 and has it's
configuration files rewritable by this user.

[root@hovercraft pete]# ls -l /etc/tomcat3/conf/tomcat3.conf
-rw-r--r--    1 tomcat3  tomcat3       866 Apr 30 16:28
/etc/tomcat3/conf/tomcat3.conf


However, this file allows you to specify the user tomcat runs as - i.e. the
tomcat3 user can rewrite his user directive to be root and then wait for a
restart  allowing him to escalate his user level to root. I think the
configuration files should be owned by root, not tomcat3.

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message