> As far as I am aware you cannot resolve this problem
> except by switching
> to LDAP for your authentication. (Although I would
> be happy to be
> corrected!)
In this case, which user would be authenticated in
LDAP ? If th user connecting to LDAP is 'tomcat', the
issue remains no ?
>
> Which gets me thinking, what is to stop anyone
> writing an application
> that simply deletes the tomcat installation?
Exactly, a simple Runtime.exec could do a lot of
damage for all webapps and tomcat install....
> Jerome Benezech wrote:
> > Hi,
> > I have a question regarding Tomcat server
> UserDatabase
> > on Linux.
> > When choosing a MemoryUserDatabase, tomcat users
> and
> > passwords are declared in a tomcat-users.xml file.
> The
> > tomcat user running the server must have read
> > permission on this file.
> > At the same time, all webapps running in tomcat
> are
> > running under the same Linux user ('tomcat'). So
> any
> > webapp can access this file and display its
> content.
> >
> > My app is hosted on a shared Linux server. With
> the
> > present configuration, I can retrieve this file
> and
> > display every user login/password, then if I
> wanted
> > to, I could go into somebody else' webapp manager
> and
> > undeploy it.
> > I am a bit worried that somebody would do that to
> > me...
> >
> > Is there a way to ensure that only the root user
> can
> > read this file ?
> >
> >
> > Thanks
> > Jerome
> >
> >
> >
> >
> > Jerome Benezech
> > [EMAIL PROTECTED]
> >
> >
>
---------------------------------------------------------------------
> > To start a new topic, e-mail:
> users@tomcat.apache.org
> > To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> > For additional commands, e-mail:
> [EMAIL PROTECTED]
> >
> >
> _______________________________
> Jacob Rhoden - http://uptecs.com/
>
>
---------------------------------------------------------------------
> To start a new topic, e-mail:
> users@tomcat.apache.org
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
>
>
Jerome Benezech
[EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
