|Summary:||root should own tomcat configuration files in /etc/tomcat-6/|
|Product:||Gentoo Linux||Reporter:||Myk Taylor <myk002>|
|Component:||[OLD] Java||Assignee:||Java team <java>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:|
Description Myk Taylor 2009-09-17 16:56:08 UTC
It seems like an unnecessary security risk to allow the tomcat user to write to server.xml and other tomcat configuration files in /etc/tomcat-6/. If the server is somehow compromised, it is unwise to allow an attacker to write to configuration files. Could I suggest changing the ownership of /etc/tomcat-6/ and the files under it to root:tomcat, with directories at mode 750 and files at mode 640?
Comment 1 William L. Thomson Jr. 2011-02-15 02:44:47 UTC
Will have to confirm if manager web app needs to have write permissions. If so be it group or owner is pretty moot. If group needs write, might as well own it all. Though the argument could likely remain to have the stuff root owned, and group writable by tomcat. Might see if security wants to comment on such, and also need to confirm of if manager web app needs write access or not. I believe so, since you can create new hosts and such. Which would require access to config files otherwise any changes would not be persistent after restart of Tomcat. I don't use the manager app much if at all, thus need to confirm.
Comment 2 William L. Thomson Jr. 2015-12-09 21:26:19 UTC
I do not believe the host-manager app can write to server.xml. It is not documented, and seems any changes there are lost on restart. Still looking into if there is some setting or way to save/write changes to server.xml. If I discover such I will update accordingly but at this time does not seem possible.