As far as I am aware you cannot resolve this problem except by switching
to LDAP for your authentication. (Although I would be happy to be
corrected!)
For any larger scale hosting, LDAP provides a more secure solution.
(However it does add an extra point of failure). Any hosting solution
where users share the same instance of tomcat is dubious because anyone
can read anyones files!
Which gets me thinking, what is to stop anyone writing an application
that simply deletes the tomcat installation?
Best Regards,
Jacob
Jerome Benezech wrote:
Hi,
I have a question regarding Tomcat server UserDatabase
on Linux.
When choosing a MemoryUserDatabase, tomcat users and
passwords are declared in a tomcat-users.xml file. The
tomcat user running the server must have read
permission on this file.
At the same time, all webapps running in tomcat are
running under the same Linux user ('tomcat'). So any
webapp can access this file and display its content.
My app is hosted on a shared Linux server. With the
present configuration, I can retrieve this file and
display every user login/password, then if I wanted
to, I could go into somebody else' webapp manager and
undeploy it.
I am a bit worried that somebody would do that to
me...
Is there a way to ensure that only the root user can
read this file ?
Thanks
Jerome
Jerome Benezech
[EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
_______________________________
Jacob Rhoden - http://uptecs.com/
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
