You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-user@axis.apache.org by Bram Biesbrouck <b...@beligum.org> on 2006/05/12 16:21:04 UTC

Axis2 security flaw?

Hi all,

When I deploy axis2.war in Tomcat, the file

/var/lib/tomcat4/webapps/axis2/WEB-INF/conf/axis2.xml
(where the admin-pass is stored)

is readable by all users on the system.
I'm using Debian sarge (stable).

Am I missing something or is this a serious security issue?

Bram

Re: Axis2 security flaw?

Posted by Bram Biesbrouck <b...@beligum.org>.

In this light:

chmodding the whole axis2 directory to 600 isn't a good practice, since it 
must remain accessible (chmod -x to a directory prevents access).

Is it sufficient to chmod conf/axis.xml to read-only, or are there other files 
that must be protected?

Bram

Op Friday 12 mei 2006 20:43, schreef Ruchith Fernando:
> When building the "axis2.war" we use the ant:war [1] task and this is
> an extension of the ant:jar task[2]. The ant:jar task is not capable
> of preserving the file permissions hence I believe war task inherits
> the same incapability.
>
> The only way to preserve preserve file permissions that I have come
> across is using the ant:tar task :[3].
>
> Any suggestions to build the war while preserving file permissions?
>
> Thanks,
> Ruchith
>
> [1] http://ant.apache.org/manual/CoreTasks/war.html
> [2] http://ant.apache.org/manual/CoreTasks/jar.html
> [3] http://ant.apache.org/manual/CoreTasks/tar.html
>
> On 5/12/06, robert lazarski <ro...@gmail.com> wrote:
> > Thinking about this a little more, actually you're right. Looking at
> > tomcat - which you seem to be using - all the files under conf are
> > already set to 600. Could you file a jira?
> >
> >
> >  Robert
> >  http://www.braziloutsource.com/
> >
> > On 5/12/06, Bram Biesbrouck <b...@beligum.org> wrote:
> > > I know, but why doesn't the default behaviour doesn't do that?
> > > I guess there are a LOT of servers out there with that file in the
> > > open...
> > >
> > > b.
> > >
> > > Op Friday 12 mei 2006 16:30, schreef robert lazarski:
> > > > Try:
> > > >
> > > > chmod 600 /var/lib/tomcat4/webapps/axis2
> > > >
> > > > > /WEB-INF/conf/axis2.xml
> > > >
> > > > That'll make the file read / writable by only the owner. Other
> > > > accounts won't be able to access it.
> > > >
> > > > To make it read-only by only the ownew:
> > > >
> > > > chmod 400 /var/lib/tomcat4/webapps/axis2
> > > >
> > > > > /WEB-INF/conf/axis2.xml
> > > >
> > > > HTH,
> > > > Robert
> > > > http://www.braziloutsource.com/
> > > >
> > > > On 5/12/06, Bram Biesbrouck <b...@beligum.org> wrote:
> > > > > Hi all,
> > > > >
> > > > > When I deploy axis2.war in Tomcat, the file
> > > > >
> > > > > /var/lib/tomcat4/webapps/axis2/WEB-INF/conf/axis2.xml
> > > > > (where the admin-pass is stored)
> > > > >
> > > > > is readable by all users on the system.
> > > > > I'm using Debian sarge (stable).
> > > > >
> > > > > Am I missing something or is this a serious security issue?
> > > > >
> > > > > Bram

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org

Re: Axis2 security flaw?

Posted by Ruchith Fernando <ru...@gmail.com>.

When building the "axis2.war" we use the ant:war [1] task and this is
an extension of the ant:jar task[2]. The ant:jar task is not capable
of preserving the file permissions hence I believe war task inherits
the same incapability.

The only way to preserve preserve file permissions that I have come
across is using the ant:tar task :[3].

Any suggestions to build the war while preserving file permissions?

Thanks,
Ruchith

[1] http://ant.apache.org/manual/CoreTasks/war.html
[2] http://ant.apache.org/manual/CoreTasks/jar.html
[3] http://ant.apache.org/manual/CoreTasks/tar.html

On 5/12/06, robert lazarski <ro...@gmail.com> wrote:
> Thinking about this a little more, actually you're right. Looking at tomcat
> - which you seem to be using - all the files under conf are already set to
> 600. Could you file a jira?
>
>
>  Robert
>  http://www.braziloutsource.com/
>
>
> On 5/12/06, Bram Biesbrouck <b...@beligum.org> wrote:
> > I know, but why doesn't the default behaviour doesn't do that?
> > I guess there are a LOT of servers out there with that file in the open...
> >
> > b.
> >
> > Op Friday 12 mei 2006 16:30, schreef robert lazarski:
> > > Try:
> > >
> > > chmod 600 /var/lib/tomcat4/webapps/axis2
> > >
> > > > /WEB-INF/conf/axis2.xml
> > >
> > > That'll make the file read / writable by only the owner. Other accounts
> > > won't be able to access it.
> > >
> > > To make it read-only by only the ownew:
> > >
> > > chmod 400 /var/lib/tomcat4/webapps/axis2
> > >
> > > > /WEB-INF/conf/axis2.xml
> > >
> > > HTH,
> > > Robert
> > > http://www.braziloutsource.com/
> > >
> > > On 5/12/06, Bram Biesbrouck <b...@beligum.org> wrote:
> > > > Hi all,
> > > >
> > > > When I deploy axis2.war in Tomcat, the file
> > > >
> > > > /var/lib/tomcat4/webapps/axis2/WEB-INF/conf/axis2.xml
> > > > (where the admin-pass is stored)
> > > >
> > > > is readable by all users on the system.
> > > > I'm using Debian sarge (stable).
> > > >
> > > > Am I missing something or is this a serious security issue?
> > > >
> > > > Bram
> >
>
>

Re: Axis2 security flaw?

Posted by robert lazarski <ro...@gmail.com>.

Thinking about this a little more, actually you're right. Looking at tomcat
- which you seem to be using - all the files under conf are already set to
600. Could you file a jira?

Robert
http://www.braziloutsource.com/


On 5/12/06, Bram Biesbrouck <b...@beligum.org> wrote:
>
> I know, but why doesn't the default behaviour doesn't do that?
> I guess there are a LOT of servers out there with that file in the open...
>
> b.
>
> Op Friday 12 mei 2006 16:30, schreef robert lazarski:
> > Try:
> >
> > chmod 600 /var/lib/tomcat4/webapps/axis2
> >
> > > /WEB-INF/conf/axis2.xml
> >
> > That'll make the file read / writable by only the owner. Other accounts
> > won't be able to access it.
> >
> > To make it read-only by only the ownew:
> >
> > chmod 400 /var/lib/tomcat4/webapps/axis2
> >
> > > /WEB-INF/conf/axis2.xml
> >
> > HTH,
> > Robert
> > http://www.braziloutsource.com/
> >
> > On 5/12/06, Bram Biesbrouck <b...@beligum.org> wrote:
> > > Hi all,
> > >
> > > When I deploy axis2.war in Tomcat, the file
> > >
> > > /var/lib/tomcat4/webapps/axis2/WEB-INF/conf/axis2.xml
> > > (where the admin-pass is stored)
> > >
> > > is readable by all users on the system.
> > > I'm using Debian sarge (stable).
> > >
> > > Am I missing something or is this a serious security issue?
> > >
> > > Bram
>

Re: Axis2 security flaw?

Posted by Bram Biesbrouck <b...@beligum.org>.

I know, but why doesn't the default behaviour doesn't do that?
I guess there are a LOT of servers out there with that file in the open...

b.

Op Friday 12 mei 2006 16:30, schreef robert lazarski:
> Try:
>
> chmod 600 /var/lib/tomcat4/webapps/axis2
>
> > /WEB-INF/conf/axis2.xml
>
> That'll make the file read / writable by only the owner. Other accounts
> won't be able to access it.
>
> To make it read-only by only the ownew:
>
> chmod 400 /var/lib/tomcat4/webapps/axis2
>
> > /WEB-INF/conf/axis2.xml
>
> HTH,
> Robert
> http://www.braziloutsource.com/
>
> On 5/12/06, Bram Biesbrouck <b...@beligum.org> wrote:
> > Hi all,
> >
> > When I deploy axis2.war in Tomcat, the file
> >
> > /var/lib/tomcat4/webapps/axis2/WEB-INF/conf/axis2.xml
> > (where the admin-pass is stored)
> >
> > is readable by all users on the system.
> > I'm using Debian sarge (stable).
> >
> > Am I missing something or is this a serious security issue?
> >
> > Bram

Re: Axis2 security flaw?

Posted by robert lazarski <ro...@gmail.com>.

Try:

chmod 600 /var/lib/tomcat4/webapps/axis2
>
> /WEB-INF/conf/axis2.xml



That'll make the file read / writable by only the owner. Other accounts
won't be able to access it.

To make it read-only by only the ownew:

chmod 400 /var/lib/tomcat4/webapps/axis2
>
> /WEB-INF/conf/axis2.xml



HTH,
Robert
http://www.braziloutsource.com/

On 5/12/06, Bram Biesbrouck <b...@beligum.org> wrote:
>
> Hi all,
>
> When I deploy axis2.war in Tomcat, the file
>
> /var/lib/tomcat4/webapps/axis2/WEB-INF/conf/axis2.xml
> (where the admin-pass is stored)
>
> is readable by all users on the system.
> I'm using Debian sarge (stable).
>
> Am I missing something or is this a serious security issue?
>
> Bram
>