tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Schönhaber <mailing-tomcat-u...@schoenhaber.de>
Subject Re: UserDatabase & security
Date Fri, 18 May 2007 06:54:19 GMT
Jerome Benezech wrote:

> I have a question regarding Tomcat server UserDatabase
> on Linux. 
> When choosing a MemoryUserDatabase, tomcat users and
> passwords are declared in a tomcat-users.xml file. The
> tomcat user running the server must have read
> permission on this file.
> At the same time, all webapps running in tomcat are
> running under the same Linux user ('tomcat'). So any
> webapp can access this file and display its content.
> 
> My app is hosted on a shared Linux server. With the
> present configuration, I can retrieve this file and
> display every user login/password, then if I wanted
> to, I could go into somebody else' webapp manager and
> undeploy it.
> I am a bit worried that somebody would do that to
> me...
> 
> Is there a way to ensure that only the root user can
> read this file ?

Well, Tomcat needs to be able to read that file so you must make it
readable for Tomcat.

OTOH: instead of plaintext passwords you could use digested ones. Take a
look at the "digest" attribute of <Realm> and bin/digest.sh.

Regards
  mks

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message