Bug 46815 - Tomcat user database file - permission problem on Unix systems
Summary: Tomcat user database file - permission problem on Unix systems
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 6.0.18
Hardware: All Solaris
: P2 major (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-06 06:15 UTC by Petr Sumbera
Modified: 2009-05-02 18:03 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Sumbera 2009-03-06 06:15:00 UTC
From Tomcat tar archive I get:

ls  -l apache-tomcat-6.0.18/conf/tomcat-users.xml
-rw-------   1 tomcat staff       1107 Jul 21  2008 apache-tomcat-6.0.18/conf/tomcat-users.xml

But Tomcat itself changes this during its first run:

ls -l apache-tomcat-6.0.18/conf/tomcat-users.xml
-rw-r--r-   1 tomcat staff      70 Feb 12 08:31 apache-tomcat-6.0.18/conf/tomcat-users.xml

This is bad from security perspective.

See also:
http://www.nabble.com/tomcat-users.xml-Unix-file-permissions-and-security-(possible-patch)-td21980349.html#a21980349
Comment 1 Mark Thomas 2009-03-06 07:23:59 UTC
This is configurable and has been discussed several times on the users list.

There are several ways of searching the archives. I recommend http://tomcat.markmail.org/
Comment 2 Petr Sumbera 2009-03-06 07:34:05 UTC
If you mean possibility of read only database, then I ask why it's not in default configuration?

To me it's insecure by default and it's wrong. So, I'm opening it again (last time I promise ;-)
Comment 3 Mark Thomas 2009-03-07 08:33:47 UTC
I suspect that it is read write by default as a legacy of the 5.5.x admin app which could add and remove users (you can still do this in 6.0.x using jmx).

I assume you are aware that this realm isn't intended for production use (although lots of people do...)

I have changed it to read only by default in trunk and proposed the change for 6.0.x. It may not get back-ported for fear of breaking existing installations.
Comment 4 Mark Thomas 2009-05-02 18:03:22 UTC
The patch has been applied to 6.0.x and will be included in 6.0.20 onwards.