You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Bram Biesbrouck <b...@beligum.org> on 2006/05/12 16:21:04 UTC
Axis2 security flaw?
Hi all,
When I deploy axis2.war in Tomcat, the file
/var/lib/tomcat4/webapps/axis2/WEB-INF/conf/axis2.xml
(where the admin-pass is stored)
is readable by all users on the system.
I'm using Debian sarge (stable).
Am I missing something or is this a serious security issue?
Bram
Re: Axis2 security flaw?
Posted by Bram Biesbrouck <b...@beligum.org>.
In this light:
chmodding the whole axis2 directory to 600 isn't a good practice, since it
must remain accessible (chmod -x to a directory prevents access).
Is it sufficient to chmod conf/axis.xml to read-only, or are there other files
that must be protected?
Bram
Op Friday 12 mei 2006 20:43, schreef Ruchith Fernando:
> When building the "axis2.war" we use the ant:war [1] task and this is
> an extension of the ant:jar task[2]. The ant:jar task is not capable
> of preserving the file permissions hence I believe war task inherits
> the same incapability.
>
> The only way to preserve preserve file permissions that I have come
> across is using the ant:tar task :[3].
>
> Any suggestions to build the war while preserving file permissions?
>
> Thanks,
> Ruchith
>
> [1] http://ant.apache.org/manual/CoreTasks/war.html
> [2] http://ant.apache.org/manual/CoreTasks/jar.html
> [3] http://ant.apache.org/manual/CoreTasks/tar.html
>
> On 5/12/06, robert lazarski <ro...@gmail.com> wrote:
> > Thinking about this a little more, actually you're right. Looking at
> > tomcat - which you seem to be using - all the files under conf are
> > already set to 600. Could you file a jira?
> >
> >
> > Robert
> > http://www.braziloutsource.com/
> >
> > On 5/12/06, Bram Biesbrouck <b...@beligum.org> wrote:
> > > I know, but why doesn't the default behaviour doesn't do that?
> > > I guess there are a LOT of servers out there with that file in the
> > > open...
> > >
> > > b.
> > >
> > > Op Friday 12 mei 2006 16:30, schreef robert lazarski:
> > > > Try:
> > > >
> > > > chmod 600 /var/lib/tomcat4/webapps/axis2
> > > >
> > > > > /WEB-INF/conf/axis2.xml
> > > >
> > > > That'll make the file read / writable by only the owner. Other
> > > > accounts won't be able to access it.
> > > >
> > > > To make it read-only by only the ownew:
> > > >
> > > > chmod 400 /var/lib/tomcat4/webapps/axis2
> > > >
> > > > > /WEB-INF/conf/axis2.xml
> > > >
> > > > HTH,
> > > > Robert
> > > > http://www.braziloutsource.com/
> > > >
> > > > On 5/12/06, Bram Biesbrouck <b...@beligum.org> wrote:
> > > > > Hi all,
> > > > >
> > > > > When I deploy axis2.war in Tomcat, the file
> > > > >
> > > > > /var/lib/tomcat4/webapps/axis2/WEB-INF/conf/axis2.xml
> > > > > (where the admin-pass is stored)
> > > > >
> > > > > is readable by all users on the system.
> > > > > I'm using Debian sarge (stable).
> > > > >
> > > > > Am I missing something or is this a serious security issue?
> > > > >
> > > > > Bram
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Axis2 security flaw?
Posted by Ruchith Fernando <ru...@gmail.com>.
When building the "axis2.war" we use the ant:war [1] task and this is
an extension of the ant:jar task[2]. The ant:jar task is not capable
of preserving the file permissions hence I believe war task inherits
the same incapability.
The only way to preserve preserve file permissions that I have come
across is using the ant:tar task :[3].
Any suggestions to build the war while preserving file permissions?
Thanks,
Ruchith
[1] http://ant.apache.org/manual/CoreTasks/war.html
[2] http://ant.apache.org/manual/CoreTasks/jar.html
[3] http://ant.apache.org/manual/CoreTasks/tar.html
On 5/12/06, robert lazarski <ro...@gmail.com> wrote:
> Thinking about this a little more, actually you're right. Looking at tomcat
> - which you seem to be using - all the files under conf are already set to
> 600. Could you file a jira?
>
>
> Robert
> http://www.braziloutsource.com/
>
>
> On 5/12/06, Bram Biesbrouck <b...@beligum.org> wrote:
> > I know, but why doesn't the default behaviour doesn't do that?
> > I guess there are a LOT of servers out there with that file in the open...
> >
> > b.
> >
> > Op Friday 12 mei 2006 16:30, schreef robert lazarski:
> > > Try:
> > >
> > > chmod 600 /var/lib/tomcat4/webapps/axis2
> > >
> > > > /WEB-INF/conf/axis2.xml
> > >
> > > That'll make the file read / writable by only the owner. Other accounts
> > > won't be able to access it.
> > >
> > > To make it read-only by only the ownew:
> > >
> > > chmod 400 /var/lib/tomcat4/webapps/axis2
> > >
> > > > /WEB-INF/conf/axis2.xml
> > >
> > > HTH,
> > > Robert
> > > http://www.braziloutsource.com/
> > >
> > > On 5/12/06, Bram Biesbrouck <b...@beligum.org> wrote:
> > > > Hi all,
> > > >
> > > > When I deploy axis2.war in Tomcat, the file
> > > >
> > > > /var/lib/tomcat4/webapps/axis2/WEB-INF/conf/axis2.xml
> > > > (where the admin-pass is stored)
> > > >
> > > > is readable by all users on the system.
> > > > I'm using Debian sarge (stable).
> > > >
> > > > Am I missing something or is this a serious security issue?
> > > >
> > > > Bram
> >
>
>
Re: Axis2 security flaw?
Posted by robert lazarski <ro...@gmail.com>.
Thinking about this a little more, actually you're right. Looking at tomcat
- which you seem to be using - all the files under conf are already set to
600. Could you file a jira?
Robert
http://www.braziloutsource.com/
On 5/12/06, Bram Biesbrouck <b...@beligum.org> wrote:
>
> I know, but why doesn't the default behaviour doesn't do that?
> I guess there are a LOT of servers out there with that file in the open...
>
> b.
>
> Op Friday 12 mei 2006 16:30, schreef robert lazarski:
> > Try:
> >
> > chmod 600 /var/lib/tomcat4/webapps/axis2
> >
> > > /WEB-INF/conf/axis2.xml
> >
> > That'll make the file read / writable by only the owner. Other accounts
> > won't be able to access it.
> >
> > To make it read-only by only the ownew:
> >
> > chmod 400 /var/lib/tomcat4/webapps/axis2
> >
> > > /WEB-INF/conf/axis2.xml
> >
> > HTH,
> > Robert
> > http://www.braziloutsource.com/
> >
> > On 5/12/06, Bram Biesbrouck <b...@beligum.org> wrote:
> > > Hi all,
> > >
> > > When I deploy axis2.war in Tomcat, the file
> > >
> > > /var/lib/tomcat4/webapps/axis2/WEB-INF/conf/axis2.xml
> > > (where the admin-pass is stored)
> > >
> > > is readable by all users on the system.
> > > I'm using Debian sarge (stable).
> > >
> > > Am I missing something or is this a serious security issue?
> > >
> > > Bram
>
Re: Axis2 security flaw?
Posted by Bram Biesbrouck <b...@beligum.org>.
I know, but why doesn't the default behaviour doesn't do that?
I guess there are a LOT of servers out there with that file in the open...
b.
Op Friday 12 mei 2006 16:30, schreef robert lazarski:
> Try:
>
> chmod 600 /var/lib/tomcat4/webapps/axis2
>
> > /WEB-INF/conf/axis2.xml
>
> That'll make the file read / writable by only the owner. Other accounts
> won't be able to access it.
>
> To make it read-only by only the ownew:
>
> chmod 400 /var/lib/tomcat4/webapps/axis2
>
> > /WEB-INF/conf/axis2.xml
>
> HTH,
> Robert
> http://www.braziloutsource.com/
>
> On 5/12/06, Bram Biesbrouck <b...@beligum.org> wrote:
> > Hi all,
> >
> > When I deploy axis2.war in Tomcat, the file
> >
> > /var/lib/tomcat4/webapps/axis2/WEB-INF/conf/axis2.xml
> > (where the admin-pass is stored)
> >
> > is readable by all users on the system.
> > I'm using Debian sarge (stable).
> >
> > Am I missing something or is this a serious security issue?
> >
> > Bram
Re: Axis2 security flaw?
Posted by robert lazarski <ro...@gmail.com>.
Try:
chmod 600 /var/lib/tomcat4/webapps/axis2
>
> /WEB-INF/conf/axis2.xml
That'll make the file read / writable by only the owner. Other accounts
won't be able to access it.
To make it read-only by only the ownew:
chmod 400 /var/lib/tomcat4/webapps/axis2
>
> /WEB-INF/conf/axis2.xml
HTH,
Robert
http://www.braziloutsource.com/
On 5/12/06, Bram Biesbrouck <b...@beligum.org> wrote:
>
> Hi all,
>
> When I deploy axis2.war in Tomcat, the file
>
> /var/lib/tomcat4/webapps/axis2/WEB-INF/conf/axis2.xml
> (where the admin-pass is stored)
>
> is readable by all users on the system.
> I'm using Debian sarge (stable).
>
> Am I missing something or is this a serious security issue?
>
> Bram
>