Bug#268002: tomcat4: server.xml is publically readable so any user can shutdown

Adrian Bridgett adrian at smop.co.uk
Thu May 18 13:38:59 UTC 2006


What I've done for tomcat5 is make tomcat5 the owner of server.xml,
then chmod 600.   

Note that if you really want this secure, you need to generate a
unique shutdown string upon the install (and preferably for upgrades
too).   Otherwise, you just guess that it's still "SHUTDOWN" and don't
need to look at the file anyway :-)

Cheers,

Adrian




More information about the pkg-java-maintainers mailing list