[pkg-java] r10355 - in trunk/tomcat6/debian: . policy

Ludovic Claude ludovicc-guest at alioth.debian.org
Mon Sep 14 12:01:26 UTC 2009 

Author: ludovicc-guest
Date: 2009-09-14 12:01:22 +0000 (Mon, 14 Sep 2009)
New Revision: 10355

Added:
   trunk/tomcat6/debian/README.source
Modified:
   trunk/tomcat6/debian/changelog
   trunk/tomcat6/debian/control
   trunk/tomcat6/debian/policy/02debian.policy
   trunk/tomcat6/debian/tomcat6.postinst
Log:
* tomcat6.postinst: set the ownership of files in /etc/tomcat6/
  to root:tomcat6, to prevent an attacker running inside a tomcat6
  instance to change the tomcat configuration
* debian/policy/02debian.policy: grant access to 
  /usr/share/maven-repo/ as it is a valid source of Debian JARs.
  (Closes: #545674)
* Bump up Standards-Version to 3.8.3
  - add debian/README.source that describes the quilt patch system.
* debian/control: Add Conflicts on libtomcat6-java with old versions
  of tomcat6-common (Closes: #542397)

Added: trunk/tomcat6/debian/README.source
===================================================================
--- trunk/tomcat6/debian/README.source	                        (rev 0)
+++ trunk/tomcat6/debian/README.source	2009-09-14 12:01:22 UTC (rev 10355)
@@ -0,0 +1,9 @@
+Patch System
+============
+
+This package uses quilt to manage all modifications to the upstream
+source. Changes are stored in the source package as diffs in
+debian/patches and applied during the build.
+
+See /usr/share/doc/quilt/README.source for a detailed explanation.
+

Modified: trunk/tomcat6/debian/changelog
===================================================================
--- trunk/tomcat6/debian/changelog	2009-09-14 05:20:02 UTC (rev 10354)
+++ trunk/tomcat6/debian/changelog	2009-09-14 12:01:22 UTC (rev 10355)
@@ -1,3 +1,18 @@
+tomcat6 (6.0.20-6) unstable; urgency=low
+
+  * tomcat6.postinst: set the ownership of files in /etc/tomcat6/
+    to root:tomcat6, to prevent an attacker running inside a tomcat6
+    instance to change the tomcat configuration
+  * debian/policy/02debian.policy: grant access to 
+    /usr/share/maven-repo/ as it is a valid source of Debian JARs.
+    (Closes: #545674)
+  * Bump up Standards-Version to 3.8.3
+    - add debian/README.source that describes the quilt patch system.
+  * debian/control: Add Conflicts on libtomcat6-java with old versions
+    of tomcat6-common (Closes: #542397)
+
+ -- Ludovic Claude <ludovic.claude at laposte.net>  Mon, 14 Sep 2009 11:03:37 +0100
+
 tomcat6 (6.0.20-5) unstable; urgency=low
 
   * Fix jsp-api dependency in the Maven descriptors.

Modified: trunk/tomcat6/debian/control
===================================================================
--- trunk/tomcat6/debian/control	2009-09-14 05:20:02 UTC (rev 10354)
+++ trunk/tomcat6/debian/control	2009-09-14 12:01:22 UTC (rev 10355)
@@ -6,7 +6,7 @@
  Torsten Werner <twerner at debian.org>
 Build-Depends: openjdk-6-jdk, ant-optional, debhelper (>= 6), quilt
 Build-Depends-Indep: maven-repo-helper, libecj-java
-Standards-Version: 3.8.2
+Standards-Version: 3.8.3
 Homepage: http://tomcat.apache.org
 Vcs-Svn: svn://svn.debian.org/svn/pkg-java/trunk/tomcat6
 Vcs-Browser: http://svn.debian.org/wsvn/pkg-java/trunk/tomcat6
@@ -60,6 +60,7 @@
 	libcommons-pool-java,
 	libservlet2.5-java (>= ${source:Version})
 Suggests: tomcat6 (>= ${source:Version})
+Conflicts: tomcat6-common (<< 6.0.20-5)
 Description: Servlet and JSP engine -- core libraries
  Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
  specifications from Sun Microsystems, and provides a "pure Java" HTTP web

Modified: trunk/tomcat6/debian/policy/02debian.policy
===================================================================
--- trunk/tomcat6/debian/policy/02debian.policy	2009-09-14 05:20:02 UTC (rev 10354)
+++ trunk/tomcat6/debian/policy/02debian.policy	2009-09-14 12:01:22 UTC (rev 10355)
@@ -2,6 +2,9 @@
 grant codeBase "file:/usr/share/java/-" {
   permission java.security.AllPermission;
 };
+grant codeBase "file:/usr/share/maven-repo/-" {
+  permission java.security.AllPermission;
+};
 grant codeBase "file:/usr/share/ant/lib/-" {
   permission java.security.AllPermission;
 };

Modified: trunk/tomcat6/debian/tomcat6.postinst
===================================================================
--- trunk/tomcat6/debian/tomcat6.postinst	2009-09-14 05:20:02 UTC (rev 10354)
+++ trunk/tomcat6/debian/tomcat6.postinst	2009-09-14 12:01:22 UTC (rev 10355)
@@ -9,7 +9,10 @@
 	fi
 	chown -R tomcat6:adm /var/log/tomcat6 /var/cache/tomcat6
 	chmod 750 /var/log/tomcat6 /var/cache/tomcat6
-	chown -Rh tomcat6:adm /etc/tomcat6/*
+	# configuration files should not be modifiable by tomcat6 user, as this can be a security issue
+	# (an attacker may insert code in a webapp and have access to all tomcat configuration)
+	# but those files should be readable by tomcat6, so we set the group to tomcat6
+	chown -Rh root:tomcat6 /etc/tomcat6/*
 	chmod 640 /etc/tomcat6/tomcat-users.xml
 	chown -Rh tomcat6:adm /var/lib/tomcat6/webapps /var/lib/tomcat6/common /var/lib/tomcat6/server /var/lib/tomcat6/shared
 	chmod 775 /var/lib/tomcat6/webapps

More information about the pkg-java-commits mailing list