Bug#434762: tomcat5.5: tomcat-users.xml contains sensitive data, yet it is world-readable
Javier Serrano Polo
jasp00 at terra.es
Mon Oct 8 16:22:43 UTC 2007
> I suggest the file be chmodded to 600 during installation.
I should note this file gets recreated during start-up. The restricted
folder solution is simpler than patching tomcat. If a world readable
tomcat-users.xml isn't acceptable, you could try a user not writable
folder. That would issue a warning about database persistence but won't
override file permissions.
By the way, dpkg will keep asking about modifications. I feel
tomcat-users.xml should be included as an example, not as an actual
configuration file.
More information about the pkg-java-maintainers
mailing list