Bug 249838

Summary: /etc/tomcat5/tomcat-users.xml with sensitive information is world-readable
Product: [Other] Security Response Reporter: Lubomir Kundrak <lkundrak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: viveklak
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=434762
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-30 09:27:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lubomir Kundrak 2007-07-27 12:36:10 UTC 
Description of problem:

Summary says it all -- our tomcat5 package installs file that holds passwords
with insecure permissions by default.
Comment 1 Vivek Lakshmanan 2007-07-27 15:36:37 UTC 
(In reply to comment #0)
> Description of problem:
> 
> Summary says it all -- our tomcat5 package installs file that holds passwords
> with insecure permissions by default.

Where are you seeing this? I checked FC-6/F-7/RHEL-5/RHEL-5_0-Z and all of them
have %attr(660,root,tomcat) %config(noreplace) %{confdir}/tomcat-users.xml
which I think should be fine... Am I missing something obvious?
Can you run an rpm -qV tomcat5 to verify what you are seeing isnt due to some
local modification?
Comment 2 Lubomir Kundrak 2007-07-30 09:27:51 UTC 
Uh, I'm very sorry, you're right. Though I was not aware of doing this
intentionally it's no longer a problem of anyone but me. Please pardon me,
closing this bug.
Comment 3 Vivek Lakshmanan 2007-07-30 14:51:14 UTC 
(In reply to comment #2)
> Uh, I'm very sorry, you're right. Though I was not aware of doing this
> intentionally it's no longer a problem of anyone but me. Please pardon me,
> closing this bug.

No problem :). However, I have seen some mysterious rpm -qV changes on a couple
of instances for this file where no direct changes could be recalled being made
by the admins. It is a possibility some post script somewhere is somehow messing
up, I will keep an eye out but if you encounter the behaviour again, reopen the
bug with any additional information like packages installed etc.