Bug#434762: tomcat5.5: tomcat-users.xml contains sensitive data, yet it is world-readable

2007-10-08 Thread Javier Serrano Polo
I suggest the file be chmodded to 600 during installation. I should note this file gets recreated during start-up. The restricted folder solution is simpler than patching tomcat. If a world readable tomcat-users.xml isn't acceptable, you could try a user not writable folder. That would issue a

Bug#434762: tomcat5.5: tomcat-users.xml contains sensitive data, yet it is world-readable

2007-07-30 Thread Michael Koch
On Sat, Jul 28, 2007 at 11:45:48PM +0200, Marcus Better wrote: David Pashley wrote: On Jul 26, 2007 at 20:43, Michael Koch praised the llamas by saying: On Thu, Jul 26, 2007 at 06:17:28PM +0200, Marcus Better wrote: Yes, but /var/lib/tomcat5.5 is not world-readable: I think this is

Bug#434762: tomcat5.5: tomcat-users.xml contains sensitive data, yet it is world-readable

2007-07-28 Thread Marcus Better
David Pashley wrote: On Jul 26, 2007 at 20:43, Michael Koch praised the llamas by saying: On Thu, Jul 26, 2007 at 06:17:28PM +0200, Marcus Better wrote: Yes, but /var/lib/tomcat5.5 is not world-readable: I think this is a grave issue because this file contains world readable passwords,

Bug#434762: tomcat5.5: tomcat-users.xml contains sensitive data, yet it is world-readable

2007-07-26 Thread Michael Koch
On Thu, Jul 26, 2007 at 06:17:28PM +0200, Marcus Better wrote: severity 434762 minor thanks /var/lib/tomcat5.5/conf/tomcat-users.xml comes with file permissions 644. Yes, but /var/lib/tomcat5.5 is not world-readable: ~$ ls -ld /var/lib/tomcat5.5/conf drwxr-x--- 3 tomcat55 adm 4096

Bug#434762: tomcat5.5: tomcat-users.xml contains sensitive data, yet it is world-readable

2007-07-26 Thread Marcus Better
severity 434762 minor thanks /var/lib/tomcat5.5/conf/tomcat-users.xml comes with file permissions 644. Yes, but /var/lib/tomcat5.5 is not world-readable: ~$ ls -ld /var/lib/tomcat5.5/conf drwxr-x--- 3 tomcat55 adm 4096 2007-07-26 09:08 /var/lib/tomcat5.5/conf/ Still we could change the file

Bug#434762: tomcat5.5: tomcat-users.xml contains sensitive data, yet it is world-readable

2007-07-26 Thread Marc Packenius
Package: tomcat5.5 Severity: grave Tags: security Justification: user security hole /var/lib/tomcat5.5/conf/tomcat-users.xml comes with file permissions 644. I consider this a security problem, because it's all too easy to add the admin or manager roles while forgetting to change the file

Bug#434762: tomcat5.5: tomcat-users.xml contains sensitive data, yet it is world-readable

2007-07-26 Thread David Pashley
On Jul 26, 2007 at 20:43, Michael Koch praised the llamas by saying: On Thu, Jul 26, 2007 at 06:17:28PM +0200, Marcus Better wrote: severity 434762 minor thanks /var/lib/tomcat5.5/conf/tomcat-users.xml comes with file permissions 644. Yes, but /var/lib/tomcat5.5 is not

Processed: Re: Bug#434762: tomcat5.5: tomcat-users.xml contains sensitive data, yet it is world-readable

2007-07-26 Thread Debian Bug Tracking System
Processing commands for [EMAIL PROTECTED]: severity 434762 minor Bug#434762: tomcat5.5: tomcat-users.xml contains sensitive data, yet it is world-readable Severity set to `minor' from `grave' thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking