[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Tomcat 8 security update

On 30.05.2016 01:00, Emmanuel Bourg wrote:
> Le 30/05/2016 à 00:12, Markus Koschany a écrit :
>> I have prepared a security update for Tomcat 8 fixing 7 CVEs. In
>> addition I would like to fix #825786. We currently overwrite file
>> permissions in /etc/tomcat8/ unconditionally which could break user
>> specific changes on upgrade. The fix is to revert to default file
>> permissions root:root (rw-r-r) and change only
>> /etc/tomcat8/tomcat-users.xml.
> Thank you for fixing the CVEs Markus, I was about to handle them.
> Regarding #825786 I'm not sure about the suggested fix. Tomcat has to be
> able to write to /etc/tomcat8/Catalina and the group change will prevent
> that (the postinst script runs chmod 775 on /etc/tomcat8/Catalina).

OK, then let's update the third line to

chown -Rh $TOMCAT8_USER:$TOMCAT8_GROUP /etc/tomcat8/Catalina
/var/lib/tomcat8/webapps /var/lib/tomcat8/lib

Although I wonder why the server writes data to /etc and not to
/var/lib/tomcat8. Symlinks could then point from /etc to
/var/lib/tomcat8. Since /etc is for configuration and /var for variable
files, this would actually be more in line with the FHS. I also think
that /usr/share/tomcat8 should not be the HOME directory for tomcat8.
However that's not relevant for Jessie and we should discuss this in a
separate bug report or on debian-java.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: