You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Fred Stluka <fr...@bristle.com> on 2004/09/15 20:43:03 UTC
Re: Why does startup of Tomcat 5.0.28 server make tomcat-users.xml
world-readable?...
Yoav,
Good idea. My tomcat user currently has a umask setting of 022.
If I change it to 077, or even 066, the tomcat-user.xml file is still
re-written at server startup, but it's protections are set to 600 as
I wanted, not 644. This is an acceptable workaround for my
immediate problem. Thanks!
Hmmm... I wonder if other files created by Tomcat (like the
server log files) will now be 600 also? I liked having them
world-readable.
However, I still wonder:
1. Why does Tomcat re-write the tomcat-users.xml file at
startup?
2. Why does it use the umask value instead of just leaving
the protections as they were before it updated the file?
3. Isn't this a problem for most Tomcat installations, since
without the umask I had applied to my tomcat user, the
default umask is 002, not 022, so the tomcat-users.xml
file would be changed to 664, not merely 644, at each
startup? Seems like the default Tomcat behavior
introduces a security risk.
--Fred
--------------------------------------------------------------------------
Fred Stluka -- mailto:fred@bristle.com -- http://bristle.com/~fred/
Bristle Software, Inc -- http://bristle.com -- "Glad to be of service!"
--------------------------------------------------------------------------
"Shapira, Yoav" wrote:
> Hi,
> What if you set the umask for that user to not have world-readable
> files? My guess is Tomcat simply uses the umask of the user that's
> running the JVM.
>
> Yoav Shapira
> Millennium Research Informatics
>
> >-----Original Message-----
> >From: Fred Stluka [mailto:fred@bristle.com]
> >Sent: Wednesday, September 15, 2004 1:51 PM
> >To: Tomcat Users List
> >Subject: Re: Why does startup of Tomcat 5.0.28 server make
> tomcat-users.xml
> >world-readable?...
> >
> >Yoav,
> >
> >I have created a Linux user specifically to run Tomcat.
> >That user is the owner of the entire Tomcat directory
> >tree, including the tomcat-users.xml file. The Tomcat
> >server process is running as that user. I agree that that
> >600 should be sufficient for Tomcat to read and write
> >the file.
> >
> >No, I have not yet configured a security manager.
> >This is pretty much Tomcat 5.0.28 with minimal
> >configurations.
> >
> >--Fred
> >-----------------------------------------------------------------------
> ---
> > Fred Stluka -- mailto:fred@bristle.com -- http://bristle.com/~fred/
> > Bristle Software, Inc -- http://bristle.com -- "Glad to be of
> service!"
> >-----------------------------------------------------------------------
> ---
> >
> >"Shapira, Yoav" wrote:
> >
> >> Hi,
> >> Tomcat needs to change the file so that it (the Tomcat process) can
> >> (over)write it (the tomcat-users.xml file). But you would think
> chmod
> >> u+w or g+w would be sufficient, not chmod o+w. Are you running with
> a
> >> security manager?
> >>
> >> Yoav Shapira
> >> Millennium Research Informatics
> >
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org