Bug#268002: tomcat4: server.xml is publically readable so any user can shutdown
Roland Turner
Roland Turner <raz.qrovna.bet@raz.cx>, 268002@bugs.debian.org
Wed Aug 25 08:10:01 2004
Package: tomcat4
Version: 4.1.30-6
Severity: wishlist
At present, /etc/tomcat4/server.xml is mode 644. This means that any
legitimate user or rogue process has access to the shutdown
string and can shut tomcat down. This is a minor DoS and something of
a corner case (it affects tomcat instances running on large multi-user
boxes and stymies hardening measures designed to allow a server to "play
hurt" (continue giving partial service when partially compromised)),
but still an interesting one. This could be overcome by creating a
tomcat4 group, running the tomcat instance with this group ID,
changing the group ownership of server.xml to tomcat4 and changing
the mode to 640. This provides both confidentiality of the
shutdown secret and prevents a compromised tomcat instance from
manipulating its own configuration (because while the tomcat4
group can read the file, only root can write it).
- Raz
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.6-1-686
Locale: LANG=C, LC_CTYPE=C
Versions of packages tomcat4 depends on:
ii adduser 3.59 Add and remove users and groups
ii apache-utils 1.3.31-3 Utility programs for webservers
ii eclipse-javac [java-compiler 2.1.3-4 Eclipse Java compiler and ant plug
ii j2re1.3 [java-virtual-machin 1.3.1.02b-2 Blackdown Java(TM) 2 Runtime Envir
ii j2re1.4 [java-virtual-machin 1.4.1-6 Blackdown Java(TM) 2 Runtime Envir
ii j2sdk1.3 [java-compiler] 1.3.1.02b-2 Blackdown Java(TM) 2 SDK, Standard
ii j2sdk1.4 [java-compiler] 1.4.1-6 Blackdown Java(TM) 2 SDK, Standard
pn libtomcat4-java Not found.
-- no debconf information