tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Petr Sumbera <Petr.Sumb...@Sun.COM>
Subject tomcat-users.xml Unix file permissions and security (possible patch)
Date Thu, 12 Feb 2009 17:06:40 GMT

Hi all,

>From Tomcat tar archive I get:

ls  -l apache-tomcat-6.0.18/conf/tomcat-users.xml 
-rw-------   1 tomcat staff       1107 Jul 21  2008
apache-tomcat-6.0.18/conf/tomcat-users.xml

But Tomcat itself changes this during its first run:

ls -l apache-tomcat-6.0.18/conf/tomcat-users.xml
-rw-r--r-   1 tomcat staff      70 Feb 12 08:31
apache-tomcat-6.0.18/conf/tomcat-users.xml

This is bad from security perspective. Why not directly write to the file
and avoid renaming. This risk of problem during saving is probably smaller
then readable passwords...

See attached patch (it would need some more clearance).

Thanks,

Petr
http://www.nabble.com/file/p21980349/MemoryUserDatabase.diff
MemoryUserDatabase.diff 
-- 
View this message in context: http://www.nabble.com/tomcat-users.xml-Unix-file-permissions-and-security-%28possible-patch%29-tp21980349p21980349.html
Sent from the Tomcat - Dev mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message