[tomcat8] 02/06: Protect tomcat8.init against symlink attack and possible root privilege

Markus Koschany apo at moszumanska.debian.org
Mon Aug 15 16:12:38 UTC 2016


This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch jessie
in repository tomcat8.

commit 9a9fd4f1cae13304beed6d4e445d1be8a3917fe0
Author: Markus Koschany <apo at debian.org>
Date:   Thu Aug 11 22:18:25 2016 +0200

    Protect tomcat8.init against symlink attack and possible root privilege
    
    escalation
---
 debian/tomcat8.init | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/debian/tomcat8.init b/debian/tomcat8.init
index 774c08a..c6ed51e 100644
--- a/debian/tomcat8.init
+++ b/debian/tomcat8.init
@@ -170,8 +170,10 @@ catalina_sh() {
 
 	# Run the catalina.sh script as a daemon
 	set +e
-	touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
-	chown $TOMCAT8_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
+	if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then
+		install -o $TOMCAT8_USER -g adm -m 644 /dev/null "$CATALINA_BASE"/logs/catalina.out
+	fi
+	install -o $TOMCAT8_USER -g adm -m 644 /dev/null "$CATALINA_PID"
 	start-stop-daemon --start -b -u "$TOMCAT8_USER" -g "$TOMCAT8_GROUP" \
 		-c "$TOMCAT8_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
 		-x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git



More information about the pkg-java-commits mailing list