You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2009/07/10 17:33:30 UTC
DO NOT REPLY [Bug 47507] New: tomcat-users.xml is rewritten and made
world-readable on startup (!)
https://issues.apache.org/bugzilla/show_bug.cgi?id=47507
Summary: tomcat-users.xml is rewritten and made world-readable
on startup (!)
Product: Tomcat 5
Version: 5.5.23
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: tutufan@gmail.com
The file tomcat-users.xml, which may/does contain password information, is made
world-readable on startup, perhaps as a side effect of being rewritten. The
rewriting itself seems like a bug (why is this being done?), but chmod'ing the
file to be world-readable is a serious security problem.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 47507] tomcat-users.xml is rewritten and made
world-readable on startup (!)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47507
tutufan@gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
--- Comment #2 from tutufan@gmail.com 2009-07-10 09:25:01 PST ---
Thank you for the quick response. The 'readonly' option seems to solve my
problem. It would be handy to have it mentioned on this page:
http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html
With respect to the umask suggestion, this seems inadequate. If tomcat really
wants to rewrite this file, it should be rewritten with permissions no looser
than the original permissions. I'd call this a serious security bug.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 47507] tomcat-users.xml is rewritten and made
world-readable on startup (!)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47507
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Mark Thomas <ma...@apache.org> 2009-07-10 08:59:17 PST ---
Use the readonly option and/or fix the umask for the user running Tomcat.
Further help and advice is available from the Tomcat users list.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 47507] tomcat-users.xml is rewritten and made
world-readable on startup (!)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47507
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |FIXED
--- Comment #3 from Mark Thomas <ma...@apache.org> 2009-12-10 13:10:46 GMT ---
I've updated the docs for trunk, 6.0.x and 5.5.x to include information on the
UserDatabaseRealm and configuring UserDatabase resources.
The JavaAPI does not provide a mechanism to control file permissions so there
is little Tomcat can do in that regard. I have included a warning about the
side-effects of writing the file in the new documentation.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org