tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shapira, Yoav" <Yoav.Shap...@mpi.com>
Subject RE: Why does startup of Tomcat 5.0.28 server make tomcat-users.xml world-readable?...
Date Wed, 15 Sep 2004 17:19:15 GMT

Hi,
Tomcat needs to change the file so that it (the Tomcat process) can
(over)write it (the tomcat-users.xml file).  But you would think chmod
u+w or g+w would be sufficient, not chmod o+w.  Are you running with a
security manager?

Yoav Shapira
Millennium Research Informatics


>-----Original Message-----
>From: Fred Stluka [mailto:fred@bristle.com]
>Sent: Wednesday, September 15, 2004 1:01 PM
>To: tomcat-user@jakarta.apache.org
>Subject: Why does startup of Tomcat 5.0.28 server make tomcat-users.xml
>world-readable?...
>
>Anyone know why starting the Tomcat 5.0.28 server on Linux
>makes the configuration file tomcat-users.xml world-readable?
>I had it set to permissions 600, but starting the server changes
>it to 644.
>
>This seems like a security hole since any user of the system can
>read the plaintext passwords.
>
>Any thoughts?  Thanks!
>--Fred
>-----------------------------------------------------------------------
---
> Fred Stluka -- mailto:fred@bristle.com -- http://bristle.com/~fred/
> Bristle Software, Inc -- http://bristle.com -- "Glad to be of
service!"
>-----------------------------------------------------------------------
---
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




This e-mail, including any attachments, is a confidential business communication, and may
contain information that is confidential, proprietary and/or privileged.  This e-mail is intended
only for the individual(s) to whom it is addressed, and may not be saved, copied, printed,
disclosed or used by anyone else.  If you are not the(an) intended recipient, please immediately
delete this e-mail from your computer system and notify the sender.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message