[tomcat8] 04/06: Do not unconditionally overwrite files in /etc/tomcat8 anymore.

Markus Koschany apo at moszumanska.debian.org
Mon Aug 15 16:12:38 UTC 2016


This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch jessie
in repository tomcat8.

commit c2b5f8e6dc32c208b79ff1b8a631f08490891c5e
Author: Markus Koschany <apo at debian.org>
Date:   Thu Aug 11 22:33:07 2016 +0200

    Do not unconditionally overwrite files in /etc/tomcat8 anymore.
    
    Closes: #825786
---
 debian/changelog        |  2 ++
 debian/tomcat8.postinst | 21 +++++++++++++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index d67d3c2..cd1e563 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ tomcat8 (8.0.14-1+deb8u3) jessie-security; urgency=medium
   * Team upload.
   * tomcat8.init: Protect /var/lib/tomcat8/catalina.out against a symlink
     attack and possible root privilege escalation.
+  * Do not unconditionally overwrite files in /etc/tomcat8 anymore.
+    (Closes: #825786)
 
  -- Markus Koschany <apo at debian.org>  Thu, 11 Aug 2016 22:19:27 +0200
 
diff --git a/debian/tomcat8.postinst b/debian/tomcat8.postinst
index c180c3c..f55ed3b 100644
--- a/debian/tomcat8.postinst
+++ b/debian/tomcat8.postinst
@@ -48,8 +48,25 @@ case "$1" in
 	# configuration files should not be modifiable by tomcat8 user, as this can be a security issue
 	# (an attacker may insert code in a webapp and have access to all tomcat configuration)
 	# but those files should be readable by tomcat8, so we set the group to tomcat8
-	chown -Rh root:$TOMCAT8_GROUP /etc/tomcat8/*
-	chmod 640 /etc/tomcat8/tomcat-users.xml
+	for i in tomcat-users.xml web.xml server.xml logging.properties context.xml catalina.properties;
+	do
+		if [ -f "/etc/tomcat8/$i" ]; then
+			chown root:$TOMCAT8_GROUP /etc/tomcat8/$i
+			chmod 644 /etc/tomcat8/$i
+		fi
+	done
+	# configuration policy files should not be modifiable by the tomcat8 user. Only
+	# diverge from default permissions for known Debian files
+	chown root:$TOMCAT8_GROUP /etc/tomcat8/policy.d
+	for i in 01system.policy 02debian.policy 03catalina.policy 04webapps.policy 50local.policy;
+	do
+		if [ -f "/etc/tomcat8/policy.d/$i" ]; then
+			chown root:$TOMCAT8_GROUP /etc/tomcat8/policy.d/$i
+			chmod 644 /etc/tomcat8/policy.d/$i
+		fi
+	done
+	chown -Rh root:$TOMCAT8_GROUP /etc/tomcat8/Catalina
+
 	chown -Rh $TOMCAT8_USER:$TOMCAT8_GROUP /var/lib/tomcat8/webapps /var/lib/tomcat8/lib
 	chmod 775 /var/lib/tomcat8/webapps
 	chmod 775 /etc/tomcat8/Catalina /etc/tomcat8/Catalina/localhost

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git



More information about the pkg-java-commits mailing list