I been trying to configure tomcat5 for a web application i am setting up, while configuring the admin webapp for time I noticed that I could read the contents of $CATALINA_HOME/conf/tomcat-users.xml as a normal users (Non-Root) . I found this odd that the file had read set for others when the passwords in this file are in plain text
. I also found out that even if I change the permission to only let owner and group has access, each time I restarted tomcat it would reset the permission and give others read. I was able to find a post with a similar issue for Debian Bug#434762: tomcat5.5: tomcat-users.xml contains sensitive data, yet it is world-readable
. In that post they stated that this use a bug, and that it should be fixed, but the parent folder was not readable to others, I have found that this is not the case in Fedora.
Besides change the umask for all users and/or the tomcat users in Fedora 7 how can I get tomcat5 not to create the tomcat-users.xml with others set to read?