On 13/02/2009, Rainer Jung <rainer.j...@kippdata.de> wrote: > Hi, > > On 12.02.2009 18:06, Petr Sumbera wrote: > > > Hi all, > > > > From Tomcat tar archive I get: > > > > ls -l apache-tomcat-6.0.18/conf/tomcat-users.xml > > -rw------- 1 tomcat staff 1107 Jul 21 2008 > > apache-tomcat-6.0.18/conf/tomcat-users.xml > > > > But Tomcat itself changes this during its first run: > > > > ls -l apache-tomcat-6.0.18/conf/tomcat-users.xml > > -rw-r--r- 1 tomcat staff 70 Feb 12 08:31 > > apache-tomcat-6.0.18/conf/tomcat-users.xml > > > > This is bad from security perspective. Why not directly write to the file > > and avoid renaming. This risk of problem during saving is probably smaller > > then readable passwords... > > > > See attached patch (it would need some more clearance). > > > > You can set the attribute readonly to "true" in the configuration of the > user database. Then Tomcat will not write to the file and instead simply > read and use it.
I agree with the OP - IMO it is still bad that Tomcat changes the file permissions. > Regards, > > Rainer > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
