tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: tomcat-users.xml Unix file permissions and security (possible patch)
Date Fri, 13 Feb 2009 09:20:22 GMT
Hi,

On 12.02.2009 18:06, Petr Sumbera wrote:
> Hi all,
>
>  From Tomcat tar archive I get:
>
> ls  -l apache-tomcat-6.0.18/conf/tomcat-users.xml
> -rw-------   1 tomcat staff       1107 Jul 21  2008
> apache-tomcat-6.0.18/conf/tomcat-users.xml
>
> But Tomcat itself changes this during its first run:
>
> ls -l apache-tomcat-6.0.18/conf/tomcat-users.xml
> -rw-r--r-   1 tomcat staff      70 Feb 12 08:31
> apache-tomcat-6.0.18/conf/tomcat-users.xml
>
> This is bad from security perspective. Why not directly write to the file
> and avoid renaming. This risk of problem during saving is probably smaller
> then readable passwords...
>
> See attached patch (it would need some more clearance).

You can set the attribute readonly to "true" in the configuration of the 
user database. Then Tomcat will not write to the file and instead simply 
read and use it.

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message