Hi,
On 12.02.2009 18:06, Petr Sumbera wrote:
Hi all,
From Tomcat tar archive I get:
ls -l apache-tomcat-6.0.18/conf/tomcat-users.xml
-rw------- 1 tomcat staff 1107 Jul 21 2008
apache-tomcat-6.0.18/conf/tomcat-users.xml
But Tomcat itself changes this during its first run:
ls -l apache-tomcat-6.0.18/conf/tomcat-users.xml
-rw-r--r- 1 tomcat staff 70 Feb 12 08:31
apache-tomcat-6.0.18/conf/tomcat-users.xml
This is bad from security perspective. Why not directly write to the file
and avoid renaming. This risk of problem during saving is probably smaller
then readable passwords...
See attached patch (it would need some more clearance).
You can set the attribute readonly to "true" in the configuration of the
user database. Then Tomcat will not write to the file and instead simply
read and use it.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
