Bug#434762: tomcat5.5: tomcat-users.xml contains sensitive data, yet it is world-readable
Michael Koch
konqueror at gmx.de
Thu Jul 26 19:43:00 UTC 2007
On Thu, Jul 26, 2007 at 06:17:28PM +0200, Marcus Better wrote:
> severity 434762 minor
> thanks
>
> > /var/lib/tomcat5.5/conf/tomcat-users.xml comes with file permissions
> > 644.
>
> Yes, but /var/lib/tomcat5.5 is not world-readable:
>
> ~$ ls -ld /var/lib/tomcat5.5/conf
> drwxr-x--- 3 tomcat55 adm 4096 2007-07-26 09:08 /var/lib/tomcat5.5/conf/
>
> Still we could change the file permissions to be on the safe side.
I think this is a grave issue because this file contains world readable
passwords, which is clearly a security issue and not minor.
Cheers,
Michael
More information about the pkg-java-maintainers
mailing list