Bug#268002: tomcat4: server.xml is publically readable so any user can shutdown

[Roland Turner]

Package: tomcat4
Version: 4.1.30-6
Severity: wishlist

At present, /etc/tomcat4/server.xml is mode 644. This means that any
legitimate user or rogue process has access to the shutdown
string and can shut tomcat down. This is a minor DoS and something of
a corner case (it affects tomcat instances running on large multi-user
boxes and stymies hardening measures designed to allow a server to "play
hurt" (continue giving partial service when partially compromised)),
but still an interesting one. This could be overcome by creating a
tomcat4 group, running the tomcat instance with this group ID,
changing the group ownership of server.xml to tomcat4 and changing
the mode to 640. This provides both confidentiality of the
shutdown secret and prevents a compromised tomcat instance from
manipulating its own configuration (because while the tomcat4
group can read the file, only root can write it).

- Raz

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.6-1-686
Locale: LANG=C, LC_CTYPE=C

Versions of packages tomcat4 depends on:
ii  adduser                      3.59        Add and remove users and groups
ii  apache-utils                 1.3.31-3    Utility programs for webservers
ii  eclipse-javac [java-compiler 2.1.3-4     Eclipse Java compiler and ant plug
ii  j2re1.3 [java-virtual-machin 1.3.1.02b-2 Blackdown Java(TM) 2 Runtime Envir
ii  j2re1.4 [java-virtual-machin 1.4.1-6     Blackdown Java(TM) 2 Runtime Envir
ii  j2sdk1.3 [java-compiler]     1.3.1.02b-2 Blackdown Java(TM) 2 SDK, Standard
ii  j2sdk1.4 [java-compiler]     1.4.1-6     Blackdown Java(TM) 2 SDK, Standard
pn  libtomcat4-java                          Not found.

-- no debconf information