|
Bugzilla – Full Text Bug Listing |
| Summary: | tomcat users file world-readable | ||
|---|---|---|---|
| Product: | [openSUSE] SUSE LINUX 10.0 | Reporter: | Glenn Holmer <gholmer> |
| Component: | Security | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED WONTFIX | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | security-team |
| Version: | Beta 4 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | |||
| Found By: | Other | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Glenn Holmer
2005-09-02 15:51:39 UTC
reassigned to maintainer. This is reverted by tomcat itself when it starts up (and not by our startup scripts). I have to look deeper where (and why) that happens. This is a WONTFIX in the upstream bugzilla, see: http://issues.apache.org/bugzilla/show_bug.cgi?id=19483 Security Team, please advise. More data: The file /etc/tomcat5/base/tomcat-users.xml can be used to configure users for use in tomcat webapps. Any user in the groups "admin" or "manager" has access to special configuration webapps. The file contains users and passwords in clear text, its use is not recommended (see discussion in the apache.org bugzilla). By default, no user belongs to the groups "admin" or "manager", so a default installation is safe. If tomcat runs under a dedicated user and only that user ever accesses the database it doesn't seem to be logical to me to have a file that contains passwords in plaintext mode 644. Is that a request to patch tomcat even if the upstream project explicitly rejected the bug? No, we should go with upstream here. (Even if I think it's worth patching) Glenn, if you want it to be fixed contact the developers please. |