Bug 249838 - /etc/tomcat5/tomcat-users.xml with sensitive information is world-readable
/etc/tomcat5/tomcat-users.xml with sensitive information is world-readable
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://bugs.debian.org/cgi-bin/bugrep...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-27 08:36 EDT by Lubomir Kundrak
Modified: 2007-07-30 10:51 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-30 05:27:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2007-07-27 08:36:10 EDT
Description of problem:

Summary says it all -- our tomcat5 package installs file that holds passwords
with insecure permissions by default.
Comment 1 Vivek Lakshmanan 2007-07-27 11:36:37 EDT
(In reply to comment #0)
> Description of problem:
> 
> Summary says it all -- our tomcat5 package installs file that holds passwords
> with insecure permissions by default.

Where are you seeing this? I checked FC-6/F-7/RHEL-5/RHEL-5_0-Z and all of them
have %attr(660,root,tomcat) %config(noreplace) %{confdir}/tomcat-users.xml
which I think should be fine... Am I missing something obvious?
Can you run an rpm -qV tomcat5 to verify what you are seeing isnt due to some
local modification?


Comment 2 Lubomir Kundrak 2007-07-30 05:27:51 EDT
Uh, I'm very sorry, you're right. Though I was not aware of doing this
intentionally it's no longer a problem of anyone but me. Please pardon me,
closing this bug.
Comment 3 Vivek Lakshmanan 2007-07-30 10:51:14 EDT
(In reply to comment #2)
> Uh, I'm very sorry, you're right. Though I was not aware of doing this
> intentionally it's no longer a problem of anyone but me. Please pardon me,
> closing this bug.

No problem :). However, I have seen some mysterious rpm -qV changes on a couple
of instances for this file where no direct changes could be recalled being made
by the admins. It is a possibility some post script somewhere is somehow messing
up, I will keep an eye out but if you encounter the behaviour again, reopen the
bug with any additional information like packages installed etc.

Note You need to log in before you can comment on or make changes to this bug.