[pkg-java] r2783 - in branches/tomcat5.5/feature/debian/debian: . policy

Marcus Better marcusb-guest at alioth.debian.org
Wed Nov 22 11:50:32 CET 2006


Author: marcusb-guest
Date: 2006-11-22 11:50:31 +0100 (Wed, 22 Nov 2006)
New Revision: 2783

Added:
   branches/tomcat5.5/feature/debian/debian/policy/50user.policy
Removed:
   branches/tomcat5.5/feature/debian/debian/policy/99examples.policy
Modified:
   branches/tomcat5.5/feature/debian/debian/README.Debian
   branches/tomcat5.5/feature/debian/debian/policy/01system.policy
   branches/tomcat5.5/feature/debian/debian/policy/02debian.policy
   branches/tomcat5.5/feature/debian/debian/policy/03catalina.policy
   branches/tomcat5.5/feature/debian/debian/policy/04webapps.policy
Log:
Update security policy from upstream. Add 50user.policy for user customizations.


Modified: branches/tomcat5.5/feature/debian/debian/README.Debian
===================================================================
--- branches/tomcat5.5/feature/debian/debian/README.Debian	2006-11-21 11:37:40 UTC (rev 2782)
+++ branches/tomcat5.5/feature/debian/debian/README.Debian	2006-11-22 10:50:31 UTC (rev 2783)
@@ -1,4 +1,4 @@
-Apache-Tomcat 5.5 for Debian
+Apache Tomcat 5.5 for Debian
 ============================
 
 - The home directory (CATALINA_HOME) for Tomcat 5.5 (a.k.a. Catalina) is
@@ -40,7 +40,7 @@
   browser to http://localhost:8180/ and testing some of the Servlet and JSP
   examples. This requires installation of the tomcat5.5-webapps package.
 
-- You can install our own web applications as .war files or in extracted form
+- You can install your own web applications as .war files or in extracted form
   into a subdirectory of /var/lib/tomcat5.5/webapps. The name of the WAR file
   or subdirectory is the servlet context for this webapp.
 
@@ -49,15 +49,10 @@
   conf, logs, webapps, work and temp. See RUNNING.txt for more about this.
 
 - When Tomcat runs with a security manager, you can define the permissions
-  for your servlets and JSPs in /etc/tomcat5.5/policy.d/*. All files in this
-  directory are joined to create /etc/tomcat5.5/catalina.policy at startup.
+  for your servlets and JSPs in /etc/tomcat5.5/policy.d/. For
+  example, you can put your customizations in 50user.policy in this
+  directory.
 
-  If your webapp does not work with the tomcat5.5 Debian package but works fine
-  with the binary distribution from Jakarta, try to disable the security
-  manager in /etc/default/tomcat5.5 first. If this works, add the required
-  permissions in a new file in /etc/tomcat5.5/policy.d/ restart and re-enable 
-  the security manager.
-
 - There is a webapp for basic web-based administration of Tomcat's webapps
   in the tomcat5.5-admin package. You need to add one of the users in
   /var/lib/tomcat5.5/conf/tomcat-users.xml to the manager role and probably
@@ -80,6 +75,6 @@
   home page at <http://tomcat.apache.org/index.html>.
 
 - This package is heavily based on the great work of Stephan Gybas on
-  the tomcat4 package
+  the tomcat4 package.
 
- -- Marcus Better <marcus at better.se>, Tue, 21 Nov 2006 11:01:41 +0100
+ -- Marcus Better <marcus at better.se>, Wed, 22 Nov 2006 11:49:16 +0100

Modified: branches/tomcat5.5/feature/debian/debian/policy/01system.policy
===================================================================
--- branches/tomcat5.5/feature/debian/debian/policy/01system.policy	2006-11-21 11:37:40 UTC (rev 2782)
+++ branches/tomcat5.5/feature/debian/debian/policy/01system.policy	2006-11-22 10:50:31 UTC (rev 2783)
@@ -1,5 +1,5 @@
 // ============================================================================
-// catalina.policy - Security Policy Permissions for Tomcat 4.1
+// catalina.corepolicy - Security Policy Permissions for Tomcat 5
 //
 // This file contains a default set of security policies to be enforced (by the
 // JVM) when Catalina is executed with the "-security" option.  In addition
@@ -8,6 +8,7 @@
 //
 // * Read access to the document root directory
 //
+// $Id$
 // ============================================================================
 
 
@@ -16,22 +17,21 @@
 
 // These permissions apply to javac
 grant codeBase "file:${java.home}/lib/-" {
-  permission java.security.AllPermission;
+        permission java.security.AllPermission;
 };
 
 // These permissions apply to all shared system extensions
 grant codeBase "file:${java.home}/jre/lib/ext/-" {
-  permission java.security.AllPermission;
+        permission java.security.AllPermission;
 };
 
-// These permissions apply to javac when ${java.home} points at $JAVA_HOME/jre
+// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
 grant codeBase "file:${java.home}/../lib/-" {
-  permission java.security.AllPermission;
+        permission java.security.AllPermission;
 };
 
 // These permissions apply to all shared system extensions when
 // ${java.home} points at $JAVA_HOME/jre
 grant codeBase "file:${java.home}/lib/ext/-" {
-  permission java.security.AllPermission;
+        permission java.security.AllPermission;
 };
-

Modified: branches/tomcat5.5/feature/debian/debian/policy/02debian.policy
===================================================================
--- branches/tomcat5.5/feature/debian/debian/policy/02debian.policy	2006-11-21 11:37:40 UTC (rev 2782)
+++ branches/tomcat5.5/feature/debian/debian/policy/02debian.policy	2006-11-22 10:50:31 UTC (rev 2783)
@@ -5,4 +5,3 @@
 grant codeBase "file:/usr/share/ant/lib/-" {
   permission java.security.AllPermission;
 };
-

Modified: branches/tomcat5.5/feature/debian/debian/policy/03catalina.policy
===================================================================
--- branches/tomcat5.5/feature/debian/debian/policy/03catalina.policy	2006-11-21 11:37:40 UTC (rev 2782)
+++ branches/tomcat5.5/feature/debian/debian/policy/03catalina.policy	2006-11-22 10:50:31 UTC (rev 2783)
@@ -1,5 +1,15 @@
 // ========== CATALINA CODE PERMISSIONS =======================================
 
+// These permissions apply to the launcher code
+grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" {
+        permission java.security.AllPermission;
+};
+
+// These permissions apply to the daemon code
+grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
+        permission java.security.AllPermission;
+};
+
 // These permissions apply to the commons-logging API
 grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" {
         permission java.security.AllPermission;
@@ -15,7 +25,7 @@
         permission java.security.AllPermission;
 };
 
-// These permissions apply to the JMX server
+// These permissions apply to JULI
 grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
         permission java.security.AllPermission;
 };
@@ -24,11 +34,11 @@
 // and those that are shared across all class loaders
 // located in the "common" directory
 grant codeBase "file:${catalina.home}/common/-" {
-  permission java.security.AllPermission;
+        permission java.security.AllPermission;
 };
 
 // These permissions apply to the container's core code, plus any additional
 // libraries installed in the "server" directory
 grant codeBase "file:${catalina.home}/server/-" {
-  permission java.security.AllPermission;
+        permission java.security.AllPermission;
 };

Modified: branches/tomcat5.5/feature/debian/debian/policy/04webapps.policy
===================================================================
--- branches/tomcat5.5/feature/debian/debian/policy/04webapps.policy	2006-11-21 11:37:40 UTC (rev 2782)
+++ branches/tomcat5.5/feature/debian/debian/policy/04webapps.policy	2006-11-22 10:50:31 UTC (rev 2783)
@@ -5,59 +5,50 @@
 // In addition, a web application will be given a read FilePermission
 // and JndiPermission for all files and directories in its document root.
 grant { 
-  // Required for JNDI lookup of named JDBC DataSource's and
-  // javamail named MimePart DataSource used to send mail
-  permission java.util.PropertyPermission "java.home", "read";
-  permission java.util.PropertyPermission "java.naming.*", "read";
-  permission java.util.PropertyPermission "javax.sql.*", "read";
+    // Required for JNDI lookup of named JDBC DataSource's and
+    // javamail named MimePart DataSource used to send mail
+    permission java.util.PropertyPermission "java.home", "read";
+    permission java.util.PropertyPermission "java.naming.*", "read";
+    permission java.util.PropertyPermission "javax.sql.*", "read";
 
-  // OS Specific properties to allow read access
-  permission java.util.PropertyPermission "os.name", "read";
-  permission java.util.PropertyPermission "os.version", "read";
-  permission java.util.PropertyPermission "os.arch", "read";
-  permission java.util.PropertyPermission "file.separator", "read";
-  permission java.util.PropertyPermission "path.separator", "read";
-  permission java.util.PropertyPermission "line.separator", "read";
+    // OS Specific properties to allow read access
+    permission java.util.PropertyPermission "os.name", "read";
+    permission java.util.PropertyPermission "os.version", "read";
+    permission java.util.PropertyPermission "os.arch", "read";
+    permission java.util.PropertyPermission "file.separator", "read";
+    permission java.util.PropertyPermission "path.separator", "read";
+    permission java.util.PropertyPermission "line.separator", "read";
 
-  // JVM properties to allow read access
-  permission java.util.PropertyPermission "java.version", "read";
-  permission java.util.PropertyPermission "java.vendor", "read";
-  permission java.util.PropertyPermission "java.vendor.url", "read";
-  permission java.util.PropertyPermission "java.class.version", "read";
-  permission java.util.PropertyPermission "java.specification.version", "read";
-  permission java.util.PropertyPermission "java.specification.vendor", "read";
-  permission java.util.PropertyPermission "java.specification.name", "read";
+    // JVM properties to allow read access
+    permission java.util.PropertyPermission "java.version", "read";
+    permission java.util.PropertyPermission "java.vendor", "read";
+    permission java.util.PropertyPermission "java.vendor.url", "read";
+    permission java.util.PropertyPermission "java.class.version", "read";
+	permission java.util.PropertyPermission "java.specification.version", "read";
+	permission java.util.PropertyPermission "java.specification.vendor", "read";
+	permission java.util.PropertyPermission "java.specification.name", "read";
 
-  permission java.util.PropertyPermission "java.vm.specification.version", "read";
-  permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
-  permission java.util.PropertyPermission "java.vm.specification.name", "read";
-  permission java.util.PropertyPermission "java.vm.version", "read";
-  permission java.util.PropertyPermission "java.vm.vendor", "read";
-  permission java.util.PropertyPermission "java.vm.name", "read";
+	permission java.util.PropertyPermission "java.vm.specification.version", "read";
+	permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
+	permission java.util.PropertyPermission "java.vm.specification.name", "read";
+	permission java.util.PropertyPermission "java.vm.version", "read";
+	permission java.util.PropertyPermission "java.vm.vendor", "read";
+	permission java.util.PropertyPermission "java.vm.name", "read";
 
-  // Required for getting BeanInfo
-  permission java.lang.RuntimePermission "accessClassInPackage.sun.beans";
-  permission java.lang.RuntimePermission "accessClassInPackage.sun.beans.*";
+    // Required for OpenJMX
+    permission java.lang.RuntimePermission "getAttribute";
 
-  // Required for sevlets and JSP's
-  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";  
-  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util.*";
-  permission java.lang.RuntimePermission "defineClassInPackage.org.apache.catalina.util";
-  permission java.lang.RuntimePermission "defineClassInPackage.org.apache.catalina.util.*";
+	// Allow read of JAXP compliant XML parser debug
+	permission java.util.PropertyPermission "jaxp.debug", "read";
 
-  // Required for running servlets generated by JSPC
-  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
-  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
-
-  // Required for MX4J
-  permission java.lang.RuntimePermission "getAttribute";
-
-  // Allow read of JAXP compliant XML parser debug
-  permission java.util.PropertyPermission "jaxp.debug", "read";
+    // Precompiled JSPs need access to this package.
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
+    
 };
 
-// The permissions granted to the balancer WEB-INF/classes directory
-grant codeBase "file:/usr/share/tomcat5.5-webapps/balancer/WEB-INF/classes/-" {
-  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester";
-  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester.*";
+// The permissions granted to the balancer WEB-INF/classes and WEB-INF/lib directory
+grant codeBase "file:/usr/share/tomcat5.5-webapps/balancer/-" {
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester.*";
 };

Added: branches/tomcat5.5/feature/debian/debian/policy/50user.policy
===================================================================
--- branches/tomcat5.5/feature/debian/debian/policy/50user.policy	2006-11-21 11:37:40 UTC (rev 2782)
+++ branches/tomcat5.5/feature/debian/debian/policy/50user.policy	2006-11-22 10:50:31 UTC (rev 2783)
@@ -0,0 +1,31 @@
+// You can assign additional permissions to particular web applications by
+// adding additional "grant" entries here, based on the code base for that
+// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
+//
+// Different permissions can be granted to JSP pages, classes loaded from
+// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
+// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
+//
+// For instance, assume that the standard "examples" application
+// included a JDBC driver that needed to establish a network connection to the
+// corresponding database and used the scrape taglib to get the weather from
+// the NOAA web server.  You might create a "grant" entries like this:
+//
+// The permissions granted to the context root directory apply to JSP pages.
+// grant codeBase "file:${catalina.home}/webapps/examples/-" {
+//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
+//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+// };
+//
+// The permissions granted to the context WEB-INF/classes directory
+// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" {
+// };
+//
+// The permission granted to your JDBC driver
+// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
+//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
+// };
+// The permission granted to the scrape taglib
+// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
+//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+// };

Deleted: branches/tomcat5.5/feature/debian/debian/policy/99examples.policy
===================================================================
--- branches/tomcat5.5/feature/debian/debian/policy/99examples.policy	2006-11-21 11:37:40 UTC (rev 2782)
+++ branches/tomcat5.5/feature/debian/debian/policy/99examples.policy	2006-11-22 10:50:31 UTC (rev 2783)
@@ -1,32 +0,0 @@
-// You can assign additional permissions to particular web applications by
-// adding additional "grant" entries here, based on the code base for that
-// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
-//
-// Different permissions can be granted to JSP pages, classes loaded from
-// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
-// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
-//
-// For instance, assume that the standard "examples" application
-// included a JDBC driver that needed to establish a network connection to the
-// corresponding database and used the scrape taglib to get the weather from
-// the NOAA web server.  You might create a "grant" entries like this:
-//
-// The permissions granted to the context root directory apply to JSP pages.
-// grant codeBase "file:${catalina.home}/webapps/examples/-" {
-//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
-// };
-//
-// The permissions granted to the context WEB-INF/classes directory
-// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" {
-// };
-//
-// The permission granted to your JDBC driver
-// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
-//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-// };
-// The permission granted to the scrape taglib
-// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
-//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
-// };
-




More information about the pkg-java-commits mailing list