|Summary:||Tomcat user database file - permission problem on Unix systems|
|Product:||Tomcat 6||Reporter:||Petr Sumbera <petr.sumbera>|
|Component:||Catalina||Assignee:||Tomcat Developers Mailing List <dev>|
Description Petr Sumbera 2009-03-06 06:15:00 UTC
From Tomcat tar archive I get: ls -l apache-tomcat-6.0.18/conf/tomcat-users.xml -rw------- 1 tomcat staff 1107 Jul 21 2008 apache-tomcat-6.0.18/conf/tomcat-users.xml But Tomcat itself changes this during its first run: ls -l apache-tomcat-6.0.18/conf/tomcat-users.xml -rw-r--r- 1 tomcat staff 70 Feb 12 08:31 apache-tomcat-6.0.18/conf/tomcat-users.xml This is bad from security perspective. See also: http://www.nabble.com/tomcat-users.xml-Unix-file-permissions-and-security-(possible-patch)-td21980349.html#a21980349
Comment 1 Mark Thomas 2009-03-06 07:23:59 UTC
This is configurable and has been discussed several times on the users list. There are several ways of searching the archives. I recommend http://tomcat.markmail.org/
Comment 2 Petr Sumbera 2009-03-06 07:34:05 UTC
If you mean possibility of read only database, then I ask why it's not in default configuration? To me it's insecure by default and it's wrong. So, I'm opening it again (last time I promise ;-)
Comment 3 Mark Thomas 2009-03-07 08:33:47 UTC
I suspect that it is read write by default as a legacy of the 5.5.x admin app which could add and remove users (you can still do this in 6.0.x using jmx). I assume you are aware that this realm isn't intended for production use (although lots of people do...) I have changed it to read only by default in trunk and proposed the change for 6.0.x. It may not get back-ported for fear of breaking existing installations.
Comment 4 Mark Thomas 2009-05-02 18:03:22 UTC
The patch has been applied to 6.0.x and will be included in 6.0.20 onwards.