Bug 46815

Summary: Tomcat user database file - permission problem on Unix systems
Product: Tomcat 6 Reporter: Petr Sumbera <petr.sumbera>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: major    
Priority: P2    
Version: 6.0.18   
Target Milestone: default   
Hardware: All   
OS: Solaris   

Description Petr Sumbera 2009-03-06 06:15:00 UTC
From Tomcat tar archive I get:

ls  -l apache-tomcat-6.0.18/conf/tomcat-users.xml
-rw-------   1 tomcat staff       1107 Jul 21  2008 apache-tomcat-6.0.18/conf/tomcat-users.xml

But Tomcat itself changes this during its first run:

ls -l apache-tomcat-6.0.18/conf/tomcat-users.xml
-rw-r--r-   1 tomcat staff      70 Feb 12 08:31 apache-tomcat-6.0.18/conf/tomcat-users.xml

This is bad from security perspective.

See also:
Comment 1 Mark Thomas 2009-03-06 07:23:59 UTC
This is configurable and has been discussed several times on the users list.

There are several ways of searching the archives. I recommend http://tomcat.markmail.org/
Comment 2 Petr Sumbera 2009-03-06 07:34:05 UTC
If you mean possibility of read only database, then I ask why it's not in default configuration?

To me it's insecure by default and it's wrong. So, I'm opening it again (last time I promise ;-)
Comment 3 Mark Thomas 2009-03-07 08:33:47 UTC
I suspect that it is read write by default as a legacy of the 5.5.x admin app which could add and remove users (you can still do this in 6.0.x using jmx).

I assume you are aware that this realm isn't intended for production use (although lots of people do...)

I have changed it to read only by default in trunk and proposed the change for 6.0.x. It may not get back-ported for fear of breaking existing installations.
Comment 4 Mark Thomas 2009-05-02 18:03:22 UTC
The patch has been applied to 6.0.x and will be included in 6.0.20 onwards.