This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 26992 - File permission security hole
Summary: File permission security hole
Status: RESOLVED WONTFIX
Alias: None
Product: serverplugins
Classification: Unclassified
Component: Tomcat (show other bugs)
Version: 3.x
Hardware: PC Linux
: P3 blocker (vote)
Assignee: Milan Kuchtiak
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2002-09-03 21:13 UTC by _ proxity
Modified: 2004-08-13 12:11 UTC (History)
1 user (show)

See Also:
Issue Type: DEFECT
Exception Reporter:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description _ proxity 2002-09-03 21:13:41 UTC 
tomcat4/conf/tomcat-users.xml in the NetBeans
directory can contain passwords but is installed
world readable on Linux.
Regarding standalone tomcat4 installations it's
sufficient if only the tomcat4 user can read it.
I suggest to also do this inside netbeans.
Comment 1 Milan Kuchtiak 2002-09-04 08:10:31 UTC 
Currently, there is no security support for bundled Tomcat 
server. Certainly this is a reasonable requirement.
Comment 2 Milan Kuchtiak 2003-03-03 13:12:41 UTC 
This security issue should be solved somehow in future 
versions of Tomcat plugins.
Comment 3 Milan Kuchtiak 2004-06-29 16:28:40 UTC 
We discussed the issue and decided that it is not a bug.

Justification :

In Linux, the userdir is defaultly created in /home/user directory.
The directory shouldn't be readable for other user. If it is - there
is a bigger security issue as other users can do the sabotage in the
user directory.

We've implemented a small security measure for the Tomcat Manager
application access. The password is generated randomly for the
netbeans user so it is difficult to guess it for the others.