~/.netbeans/6.0/tomcat55.properties is world-readable

Bug #244321 reported by Timo Wiren on 2008-06-30
254
Affects Status Importance Assigned to Milestone
Netbeans Core
Fix Released
Medium
netbeans (Ubuntu)
Undecided
Marek Slama

Bug Description

Binary package hint: netbeans

I don't know if this is an Ubuntu's NetBeans package bug, NetBeans bug or NetBeans' Tomcat plugin bug, but I thought I might as well report it here. The file ~/.netbeans/6.0/tomcat55.properties is world-readable and contains a plain-text password of a Tomcat user in manager role. I'm using Kubuntu 8.04 and installed NetBeans using aptitude. NetBeans version is 6.0.1-0ubuntu2.

Revision history for this message
Marek Slama (mslama-email) wrote :

It looks like plugin bug. How do you create this file or when is it created? I will pass this issue to NetBeans.

Changed in netbeans:
assignee: nobody → mslama-email
Revision history for this message
Marek Slama (mslama-email) wrote :

I assume this file should be accessible only by given user right?

Revision history for this message
Timo Wiren (timo-wiren) wrote :

I assume the file is created when I install NetBeans' Tomcat plugin or configure it in NetBeans. I also assume that it should be accessible only by the user whose home directory it's in.

Revision history for this message
Marek Slama (mslama-email) wrote :
Revision history for this message
In , Mslama (mslama) wrote :

Original report is at https://bugs.launchpad.net/ubuntu/+source/netbeans/+bug/244321. I checked dev build but there is
tomcat 6. Not sure where to put this report if it is NetBeans or Tomcat issue. So please pass it accordingly.

Revision history for this message
In , Phejl (phejl) wrote :

It is a development instance. Installer should place proper rights on file, however this won't solve issue in general.

Revision history for this message
In , Mslama (mslama) wrote :

I do not think that any installer should create/set access rights to any file in user home directory (or default IDE
user dir). Who/when creates this file?

Revision history for this message
In , Thuydn (thuydn) wrote :

Done a bit of investigation on NB 6.5 and found that

- First scenario: If you select Tomcat that bundled with NB when you install NB 6.5 (and later version), the file that
contains the Tomcat server manager's default username and password is stored in
~/.netbeans/6.5/apache-tomcat-6.0_base/config/tomcat-users.xml. Although the file is world-readable, the password
inside the file is encrypted.
The entire folder ~/.netbeans/6.5/apache-tomcat-6.0_base which is the default ${Catalina_Base} chosen by NB is NOT
created at the time of NB installation, but at the time the Tomcat server is first started by users via NB
Servers->server node's popup menu.

- Second scenario: if you manually at Tomcat server to NB via the Add Server wizard, you are asked to enter username and
password for the manager role among other things. The username and password is stored in plain text in tomcat-users.xml
file under ${Catalina_Base}/config folder, where ${catalina_Base} is the folder you enter to the wizard.

Possible solutions:
- Option 1: encrypt the password in the second scenario before storing the password to tomcat-users.xml, then no need to
change the permission of the file.
- Option 2: Create the file (tomcat-users.xml) without word-readable perm, then no need to encrypt the password in
either scenarios.

Kees Cook (kees) on 2009-01-24
Changed in netbeans:
status: New → Confirmed
Revision history for this message
In , Phejl (phejl) wrote :

Fixed in web-main e0f3545105f5.

Revision history for this message
In , Quality-i (quality-i) wrote :

Integrated into 'main-golden', will be available in build *201204021038* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main-golden/rev/e0f3545105f5
User: Petr Hejl <email address hidden>
Log: #143033 base_dir/tomcat-users.xml is world-readable

Changed in netbeans:
importance: Unknown → Critical
status: Unknown → Fix Released
Changed in netbeans:
importance: Critical → Medium
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.