You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2009/07/10 17:33:30 UTC

DO NOT REPLY [Bug 47507] New: tomcat-users.xml is rewritten and made world-readable on startup (!)

https://issues.apache.org/bugzilla/show_bug.cgi?id=47507

           Summary: tomcat-users.xml is rewritten and made world-readable
                    on startup (!)
           Product: Tomcat 5
           Version: 5.5.23
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: tutufan@gmail.com


The file tomcat-users.xml, which may/does contain password information, is made
world-readable on startup, perhaps as a side effect of being rewritten.  The
rewriting itself seems like a bug (why is this being done?), but chmod'ing the
file to be world-readable is a serious security problem.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 47507] tomcat-users.xml is rewritten and made world-readable on startup (!)

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47507


tutufan@gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |




--- Comment #2 from tutufan@gmail.com  2009-07-10 09:25:01 PST ---
Thank you for the quick response.  The 'readonly' option seems to solve my
problem.  It would be handy to have it mentioned on this page:

    http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html


With respect to the umask suggestion, this seems inadequate.  If tomcat really
wants to rewrite this file, it should be rewritten with permissions no looser
than the original permissions.  I'd call this a serious security bug.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 47507] tomcat-users.xml is rewritten and made world-readable on startup (!)

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47507


Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




--- Comment #1 from Mark Thomas <ma...@apache.org>  2009-07-10 08:59:17 PST ---
Use the readonly option and/or fix the umask for the user running Tomcat.

Further help and advice is available from the Tomcat users list.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 47507] tomcat-users.xml is rewritten and made world-readable on startup (!)

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47507

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |FIXED

--- Comment #3 from Mark Thomas <ma...@apache.org> 2009-12-10 13:10:46 GMT ---
I've updated the docs for trunk, 6.0.x and 5.5.x to include information on the
UserDatabaseRealm and configuring UserDatabase resources.

The JavaAPI does not provide a mechanism to control file permissions so there
is little Tomcat can do in that regard. I have included a warning about the
side-effects of writing the file in the new documentation.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org