On 30.05.2016 01:00, Emmanuel Bourg wrote: > Le 30/05/2016 à 00:12, Markus Koschany a écrit : > >> I have prepared a security update for Tomcat 8 fixing 7 CVEs. In >> addition I would like to fix #825786. We currently overwrite file >> permissions in /etc/tomcat8/ unconditionally which could break user >> specific changes on upgrade. The fix is to revert to default file >> permissions root:root (rw-r-r) and change only >> /etc/tomcat8/tomcat-users.xml. > > Thank you for fixing the CVEs Markus, I was about to handle them. > > Regarding #825786 I'm not sure about the suggested fix. Tomcat has to be > able to write to /etc/tomcat8/Catalina and the group change will prevent > that (the postinst script runs chmod 775 on /etc/tomcat8/Catalina). OK, then let's update the third line to chown -Rh $TOMCAT8_USER:$TOMCAT8_GROUP /etc/tomcat8/Catalina /var/lib/tomcat8/webapps /var/lib/tomcat8/lib Although I wonder why the server writes data to /etc and not to /var/lib/tomcat8. Symlinks could then point from /etc to /var/lib/tomcat8. Since /etc is for configuration and /var for variable files, this would actually be more in line with the FHS. I also think that /usr/share/tomcat8 should not be the HOME directory for tomcat8. However that's not relevant for Jessie and we should discuss this in a separate bug report or on debian-java. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature