You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/08/09 11:37:12 UTC

DO NOT REPLY [Bug 11584] New: - Configuration files owned by tomcat3 not root

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11584>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11584

Configuration files owned by tomcat3 not root

           Summary: Configuration files owned by tomcat3 not root
           Product: Tomcat 3
           Version: 3.3 Final
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Major
          Priority: Other
         Component: Unknown
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: pete@idnet.net.uk


tomcat 3.3.1 when installed from rpm runs as user tomcat3 and has it's
configuration files rewritable by this user.

[root@hovercraft pete]# ls -l /etc/tomcat3/conf/tomcat3.conf
-rw-r--r--    1 tomcat3  tomcat3       866 Apr 30 16:28
/etc/tomcat3/conf/tomcat3.conf


However, this file allows you to specify the user tomcat runs as - i.e. the
tomcat3 user can rewrite his user directive to be root and then wait for a
restart  allowing him to escalate his user level to root. I think the
configuration files should be owned by root, not tomcat3.

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>