Bug#825786: tomcat8: postinst script overwrites file permissions in /etc
Markus Koschany
apo at debian.org
Fri Jul 29 09:20:56 UTC 2016
Control: tags -1 patch
On 27.07.2016 23:39, Emmanuel Bourg wrote:
> Le 27/07/2016 à 13:21, Markus Koschany a écrit :
>
>> So the question is
>>
>> does Tomcat 7/8 need write access to the conf directory at runtime and
>> if yes why?
>
> Yes it does: Tomcat extracts the META-INF/context.xml files from the
> .war archives into $CATALINA_BASE/conf/[enginename]/[hostname]/ and this
> happens at runtime.
Ok, here we go. Obviously the current setup is not FHS-conform and I
think we can do better.
>> I'm not convinced that overriding the permissions for all files
>> under /etc/tomcat{7,8} is something that can't be avoided and can only
>> be fixed in Tomcat 9.
>
> I think we should set the permissions for the known tomcat files only
> and avoid touching the other ones. That is:
>
> Catalina
> catalina.properties
> context.xml
> logging.properties
> policy.d
> server.xml
> tomcat-users.xml
> web.xml
>
> I'd keep root:tomcat with 644 or 640 for the permissions. 640 would make
> sense since server.xml could contain datasource declarations with
> database credentials.
If we keep root:tomcat8 then I think 640 is sensible and appropriate.
I am attaching two patches for Tomcat 8 in unstable and Tomcat 8 in stable.
The patch for unstable will achieve the following:
1. Do not override file permissions for custom files in /etc/tomcat8 any
longer. Be explicit instead and only change them for known Debian files.
2. Make /var/lib/tomcat8/conf a real directory and remove the symlink.
Instead symlink all Debian files from /etc/tomcat8 into
/var/lib/tomcat8/conf
3. Remove /etc/tomcat8/Catalina and move it into
/var/lib/tomcat8/conf/Catalina
4. Preserve all custom files and file permissions while performing this
operation.
5. Inform users about the change with a NEWS file.
The stable patch only implements point 1 that should address the issue
described in this bug report. Users will have more time to prepare for
the other changes.
Regards,
Markus
-------------- next part --------------
diff -Nru tomcat8-8.0.36/debian/changelog tomcat8-8.0.36/debian/changelog
--- tomcat8-8.0.36/debian/changelog 2016-06-14 14:35:00.000000000 +0200
+++ tomcat8-8.0.36/debian/changelog 2016-07-29 10:49:48.000000000 +0200
@@ -1,3 +1,19 @@
+tomcat8 (8.0.36-2) unstable; urgency=medium
+
+ * Team upload.
+ * Add NEWS file and inform users about the changes.
+ * tomcat8.postinst: Do not unconditionally override file permissions
+ in /etc/tomcat8 anymore. (Closes: #825786)
+ * Make /var/lib/tomcat8/conf a real directory and symlink all configuration
+ files into this directory.
+ * tomcat8.preinst: Move /etc/tomcat8/Catalina to
+ /var/lib/tomcat8/conf/Catalina because Tomcat extracts files at runtime
+ into this directory which is inappropriate for /etc. Preserve all custom
+ configuration files and move them into /var/lib/tomcat8/conf as well.
+ * Set all file permissions to 640 (rw-r--) in /etc/tomcat8.
+
+ -- Markus Koschany <apo at debian.org> Fri, 29 Jul 2016 08:47:24 +0200
+
tomcat8 (8.0.36-1) unstable; urgency=medium
* Team upload.
diff -Nru tomcat8-8.0.36/debian/NEWS tomcat8-8.0.36/debian/NEWS
--- tomcat8-8.0.36/debian/NEWS 1970-01-01 01:00:00.000000000 +0100
+++ tomcat8-8.0.36/debian/NEWS 2016-07-29 10:49:48.000000000 +0200
@@ -0,0 +1,16 @@
+tomcat8 (8.0.36-2) unstable; urgency=medium
+
+ This update removes the symlink from /var/lib/tomcat8/conf to /etc/tomcat8.
+ The conf directory has been replaced by a real directory. All global
+ configuration files are now directly symlinked into /var/lib/tomcat8/conf
+ with the notable exception of /etc/tomcat8/Catalina which has been moved
+ into /var/lib/tomcat8/conf.
+
+ The reasoning for this change is that Tomcat extracts files into the
+ Catalina directory at runtime. Since /etc is for static files only,
+ /var/lib/tomcat8/conf/Catalina is a more suitable location.
+
+ All custom files have been preserved and moved into /var/lib/tomcat8/conf.
+ It is safe to remove them from /etc/tomcat8 now.
+
+ -- Markus Koschany <apo at debian.org> Fri, 29 Jul 2016 10:32:20 +0200
diff -Nru tomcat8-8.0.36/debian/tomcat8.dirs tomcat8-8.0.36/debian/tomcat8.dirs
--- tomcat8-8.0.36/debian/tomcat8.dirs 2016-06-14 13:59:19.000000000 +0200
+++ tomcat8-8.0.36/debian/tomcat8.dirs 2016-07-29 10:49:48.000000000 +0200
@@ -1,6 +1,6 @@
var/log/tomcat8
+var/lib/tomcat8/conf/Catalina/localhost
var/lib/tomcat8/lib
var/lib/tomcat8/webapps
var/cache/tomcat8
-etc/tomcat8/Catalina/localhost
etc/logrotate.d
diff -Nru tomcat8-8.0.36/debian/tomcat8.links tomcat8-8.0.36/debian/tomcat8.links
--- tomcat8-8.0.36/debian/tomcat8.links 2016-06-14 13:59:19.000000000 +0200
+++ tomcat8-8.0.36/debian/tomcat8.links 2016-07-29 10:49:48.000000000 +0200
@@ -1,4 +1,10 @@
-/etc/tomcat8 /var/lib/tomcat8/conf
+/etc/tomcat8/policy.d /var/lib/tomcat8/conf/policy.d
+/etc/tomcat8/catalina.properties /var/lib/tomcat8/conf/catalina.properties
+/etc/tomcat8/context.xml /var/lib/tomcat8/conf/context.xml
+/etc/tomcat8/logging.properties /var/lib/tomcat8/conf/logging.properties
+/etc/tomcat8/server.xml /var/lib/tomcat8/conf/server.xml
+/etc/tomcat8/tomcat-users.xml /var/lib/tomcat8/conf/tomcat-users.xml
+/etc/tomcat8/web.xml /var/lib/tomcat8/conf/web.xml
/var/cache/tomcat8 /var/lib/tomcat8/work
/var/log/tomcat8 /var/lib/tomcat8/logs
/usr/share/doc/tomcat8-common/README.Debian /usr/share/doc/tomcat8/README.Debian
diff -Nru tomcat8-8.0.36/debian/tomcat8.postinst tomcat8-8.0.36/debian/tomcat8.postinst
--- tomcat8-8.0.36/debian/tomcat8.postinst 2016-06-14 13:59:19.000000000 +0200
+++ tomcat8-8.0.36/debian/tomcat8.postinst 2016-07-29 10:49:48.000000000 +0200
@@ -48,13 +48,28 @@
# configuration files should not be modifiable by tomcat8 user, as this can be a security issue
# (an attacker may insert code in a webapp and have access to all tomcat configuration)
# but those files should be readable by tomcat8, so we set the group to tomcat8
- chown -Rh root:$TOMCAT8_GROUP /etc/tomcat8/*
- if [ -f /etc/tomcat8/tomcat-users.xml ] ; then
- chmod 640 /etc/tomcat8/tomcat-users.xml
- fi
+ for i in tomcat-users.xml web.xml server.xml logging.properties context.xml catalina.properties;
+ do
+ chown root:$TOMCAT8_GROUP /etc/tomcat8/$i
+ chmod 640 /etc/tomcat8/$i
+ done
+ # configuration policy files should not be modifiable by the tomcat8 user. Only
+ # diverge from default permissions for known Debian files
+ chown root:$TOMCAT8_GROUP /etc/tomcat8/policy.d/
+ for i in 01system.policy 02debian.policy 03catalina.policy 04webapps.policy 50local.policy;
+ do
+ chown root:$TOMCAT8_GROUP /etc/tomcat8/policy.d/$i
+ chmod 640 /etc/tomcat8/policy.d/$i
+ done
+ # Tomcat extracts the META-INF/context.xml from war archives into
+ # $CATALINA_BASE/conf/[enginename]/[hostname] at runtime. Therefore group tomcat8
+ # needs write permissions
+ chown root:$TOMCAT8_GROUP /var/lib/tomcat8/conf/Catalina/localhost
+ chmod 775 /var/lib/tomcat8/conf/Catalina /var/lib/tomcat8/conf/Catalina/localhost
+ # $CATALINA_BASE/webapps and $CATALINA_BASE/lib should be readable and
+ # writable by the tomcat8 user
chown -Rh $TOMCAT8_USER:$TOMCAT8_GROUP /var/lib/tomcat8/webapps /var/lib/tomcat8/lib
chmod 775 /var/lib/tomcat8/webapps
- chmod 775 /etc/tomcat8/Catalina /etc/tomcat8/Catalina/localhost
# Authorize user tomcat8 to open privileged ports via authbind.
TOMCAT_UID="`id -u $TOMCAT8_USER`"
diff -Nru tomcat8-8.0.36/debian/tomcat8.postrm.in tomcat8-8.0.36/debian/tomcat8.postrm.in
--- tomcat8-8.0.36/debian/tomcat8.postrm.in 2016-06-14 13:59:19.000000000 +0200
+++ tomcat8-8.0.36/debian/tomcat8.postrm.in 2016-07-29 10:49:48.000000000 +0200
@@ -59,8 +59,7 @@
if [ -d "/var/lib/tomcat8" ] ; then
rmdir --ignore-fail-on-non-empty /var/lib/tomcat8
fi
- rmdir --ignore-fail-on-non-empty /etc/tomcat8/policy.d \
- /etc/tomcat8/Catalina/localhost /etc/tomcat8/Catalina /etc/tomcat8
+ rmdir --ignore-fail-on-non-empty /etc/tomcat8/policy.d /etc/tomcat8
# clean up /etc/authbind after conffiles have been removed
rmdir --ignore-fail-on-non-empty /etc/authbind/byuid /etc/authbind
# Put all files owned by group tomcat8 back into root group before deleting
diff -Nru tomcat8-8.0.36/debian/tomcat8.preinst tomcat8-8.0.36/debian/tomcat8.preinst
--- tomcat8-8.0.36/debian/tomcat8.preinst 1970-01-01 01:00:00.000000000 +0100
+++ tomcat8-8.0.36/debian/tomcat8.preinst 2016-07-29 10:49:48.000000000 +0200
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+ upgrade)
+ if dpkg --compare-versions "$2" lt "8.0.36-2~"; then
+ rm -f /var/lib/tomcat8/conf
+ mkdir -p /var/lib/tomcat8/conf/Catalina/localhost
+ cp -ar /etc/tomcat8/* /var/lib/tomcat8/conf/
+ rm -rf /var/lib/tomcat8/conf/policy.d
+ ln -s /etc/tomcat8/policy.d var/lib/tomcat8/conf/policy.d
+ rm -rf /etc/tomcat8/Catalina
+ fi
+ ;;
+ install|abort-upgrade)
+ ;;
+ *)
+ echo "preinst called with unknown argument '$1'" >&2
+ exit 1
+ ;;
+esac
+
+#DEBHELPER#
+
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-fix-825786-for-tomcat8-stable.patch
Type: text/x-diff
Size: 1733 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20160729/1915c480/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20160729/1915c480/attachment.sig>
More information about the pkg-java-maintainers
mailing list