Bug#268002: tomcat4: server.xml is publically readable so any user
can shutdown
Adrian Bridgett
adrian at smop.co.uk
Thu May 18 13:38:59 UTC 2006
What I've done for tomcat5 is make tomcat5 the owner of server.xml,
then chmod 600.
Note that if you really want this secure, you need to generate a
unique shutdown string upon the install (and preferably for upgrades
too). Otherwise, you just guess that it's still "SHUTDOWN" and don't
need to look at the file anyway :-)
Cheers,
Adrian
More information about the pkg-java-maintainers
mailing list