Yoav,
Good idea. My tomcat user currently has a umask setting of 022.
If I change it to 077, or even 066, the tomcat-user.xml file is still
re-written at server startup, but it's protections are set to 600 as
I wanted, not 644. This is an acceptable workaround for my
immediate problem. Thanks!
Hmmm... I wonder if other files created by Tomcat (like the
server log files) will now be 600 also? I liked having them
world-readable.
However, I still wonder:
1. Why does Tomcat re-write the tomcat-users.xml file at
startup?
2. Why does it use the umask value instead of just leaving
the protections as they were before it updated the file?
3. Isn't this a problem for most Tomcat installations, since
without the umask I had applied to my tomcat user, the
default umask is 002, not 022, so the tomcat-users.xml
file would be changed to 664, not merely 644, at each
startup? Seems like the default Tomcat behavior
introduces a security risk.
--Fred
--------------------------------------------------------------------------
Fred Stluka -- mailto:[EMAIL PROTECTED] -- http://bristle.com/~fred/
Bristle Software, Inc -- http://bristle.com -- "Glad to be of service!"
--------------------------------------------------------------------------
"Shapira, Yoav" wrote:
> Hi,
> What if you set the umask for that user to not have world-readable
> files? My guess is Tomcat simply uses the umask of the user that's
> running the JVM.
>
> Yoav Shapira
> Millennium Research Informatics
>
> >-----Original Message-----
> >From: Fred Stluka [mailto:[EMAIL PROTECTED]
> >Sent: Wednesday, September 15, 2004 1:51 PM
> >To: Tomcat Users List
> >Subject: Re: Why does startup of Tomcat 5.0.28 server make
> tomcat-users.xml
> >world-readable?...
> >
> >Yoav,
> >
> >I have created a Linux user specifically to run Tomcat.
> >That user is the owner of the entire Tomcat directory
> >tree, including the tomcat-users.xml file. The Tomcat
> >server process is running as that user. I agree that that
> >600 should be sufficient for Tomcat to read and write
> >the file.
> >
> >No, I have not yet configured a security manager.
> >This is pretty much Tomcat 5.0.28 with minimal
> >configurations.
> >
> >--Fred
> >-----------------------------------------------------------------------
> ---
> > Fred Stluka -- mailto:[EMAIL PROTECTED] -- http://bristle.com/~fred/
> > Bristle Software, Inc -- http://bristle.com -- "Glad to be of
> service!"
> >-----------------------------------------------------------------------
> ---
> >
> >"Shapira, Yoav" wrote:
> >
> >> Hi,
> >> Tomcat needs to change the file so that it (the Tomcat process) can
> >> (over)write it (the tomcat-users.xml file). But you would think
> chmod
> >> u+w or g+w would be sufficient, not chmod o+w. Are you running with
> a
> >> security manager?
> >>
> >> Yoav Shapira
> >> Millennium Research Informatics
> >
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: [EMAIL PROTECTED]
> >For additional commands, e-mail: [EMAIL PROTECTED]
>
> This e-mail, including any attachments, is a confidential business communication,
> and may contain information that is confidential, proprietary and/or privileged.
> This e-mail is intended only for the individual(s) to whom it is addressed, and may
> not be saved, copied, printed, disclosed or used by anyone else. If you are not
> the(an) intended recipient, please immediately delete this e-mail from your computer
> system and notify the sender. Thank you.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
