Hi all, >From Tomcat tar archive I get:
ls -l apache-tomcat-6.0.18/conf/tomcat-users.xml -rw------- 1 tomcat staff 1107 Jul 21 2008 apache-tomcat-6.0.18/conf/tomcat-users.xml But Tomcat itself changes this during its first run: ls -l apache-tomcat-6.0.18/conf/tomcat-users.xml -rw-r--r- 1 tomcat staff 70 Feb 12 08:31 apache-tomcat-6.0.18/conf/tomcat-users.xml This is bad from security perspective. Why not directly write to the file and avoid renaming. This risk of problem during saving is probably smaller then readable passwords... See attached patch (it would need some more clearance). Thanks, Petr http://www.nabble.com/file/p21980349/MemoryUserDatabase.diff MemoryUserDatabase.diff -- View this message in context: http://www.nabble.com/tomcat-users.xml-Unix-file-permissions-and-security-%28possible-patch%29-tp21980349p21980349.html Sent from the Tomcat - Dev mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
