tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Petr Sumbera <Petr.Sumb...@Sun.COM>
Subject tomcat-users.xml Unix file permissions and security (possible patch)
Date Thu, 12 Feb 2009 17:06:40 GMT

Hi all,

>From Tomcat tar archive I get:

ls  -l apache-tomcat-6.0.18/conf/tomcat-users.xml 
-rw-------   1 tomcat staff       1107 Jul 21  2008

But Tomcat itself changes this during its first run:

ls -l apache-tomcat-6.0.18/conf/tomcat-users.xml
-rw-r--r-   1 tomcat staff      70 Feb 12 08:31

This is bad from security perspective. Why not directly write to the file
and avoid renaming. This risk of problem during saving is probably smaller
then readable passwords...

See attached patch (it would need some more clearance).


View this message in context:
Sent from the Tomcat - Dev mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message