Jerome Benezech wrote:
> I have a question regarding Tomcat server UserDatabase
> on Linux.
> When choosing a MemoryUserDatabase, tomcat users and
> passwords are declared in a tomcat-users.xml file. The
> tomcat user running the server must have read
> permission on this file.
> At the same time, all webapps running in tomcat are
> running under the same Linux user ('tomcat'). So any
> webapp can access this file and display its content.
>
> My app is hosted on a shared Linux server. With the
> present configuration, I can retrieve this file and
> display every user login/password, then if I wanted
> to, I could go into somebody else' webapp manager and
> undeploy it.
> I am a bit worried that somebody would do that to
> me...
>
> Is there a way to ensure that only the root user can
> read this file ?
Well, Tomcat needs to be able to read that file so you must make it
readable for Tomcat.
OTOH: instead of plaintext passwords you could use digested ones. Take a
look at the "digest" attribute of <Realm> and bin/digest.sh.
Regards
mks
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
