Bug#434762: tomcat5.5: tomcat-users.xml contains sensitive data, yet it is world-readable
David Pashley
david at davidpashley.com
Thu Jul 26 22:54:24 UTC 2007
On Jul 26, 2007 at 20:43, Michael Koch praised the llamas by saying:
> On Thu, Jul 26, 2007 at 06:17:28PM +0200, Marcus Better wrote:
> > severity 434762 minor
> > thanks
> >
> > > /var/lib/tomcat5.5/conf/tomcat-users.xml comes with file permissions
> > > 644.
> >
> > Yes, but /var/lib/tomcat5.5 is not world-readable:
> >
> > ~$ ls -ld /var/lib/tomcat5.5/conf
> > drwxr-x--- 3 tomcat55 adm 4096 2007-07-26 09:08 /var/lib/tomcat5.5/conf/
> >
> > Still we could change the file permissions to be on the safe side.
>
> I think this is a grave issue because this file contains world readable
> passwords, which is clearly a security issue and not minor.
>
>
mojo-jojo david% less /var/lib/tomcat5.5/conf/tomcat-users.xml
/var/lib/tomcat5.5/conf/tomcat-users.xml: Permission denied
root at mojo-jojo:~# ls -l /var/lib/tomcat5.5/conf/ -d
drwxr-x--- 3 tomcat55 adm 4096 2007-07-17 19:39 /var/lib/tomcat5.5/conf//
root at mojo-jojo:~# ls -l /var/lib/tomcat5.5/conf/
...
-rw-r--r-- 1 tomcat55 nogroup 310 2007-07-17 19:39 tomcat-users.xml
...
The file isn't readable by other users, so it isn't grave.
--
David Pashley
david at davidpashley.com
Nihil curo de ista tua stulta superstitione.
More information about the pkg-java-maintainers
mailing list