[tomcat7] 03/06: Do not unconditionally override files in /etc/tomcat7.
Markus Koschany
apo at moszumanska.debian.org
Mon Aug 15 16:13:51 UTC 2016
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch jessie
in repository tomcat7.
commit e89ad512cf22b6d009fd1cc88f6467b5ef920d6a
Author: Markus Koschany <apo at debian.org>
Date: Fri Aug 12 00:39:10 2016 +0200
Do not unconditionally override files in /etc/tomcat7.
Change file permissions to 640 for Debian files in /etc/tomcat7/*
Closes: #821391
---
debian/tomcat7.postinst | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/debian/tomcat7.postinst b/debian/tomcat7.postinst
index ef339db..6d3d087 100644
--- a/debian/tomcat7.postinst
+++ b/debian/tomcat7.postinst
@@ -48,9 +48,26 @@ case "$1" in
# configuration files should not be modifiable by tomcat7 user, as this can be a security issue
# (an attacker may insert code in a webapp and have access to all tomcat configuration)
# but those files should be readable by tomcat7, so we set the group to tomcat7
- chown -Rh root:$TOMCAT7_GROUP /etc/tomcat7/*
- chmod 640 /etc/tomcat7/tomcat-users.xml
- chown -Rh $TOMCAT7_USER:$TOMCAT7_GROUP /var/lib/tomcat7/webapps /var/lib/tomcat7/common /var/lib/tomcat7/server /var/lib/tomcat7/shared
+ for i in tomcat-users.xml web.xml server.xml logging.properties context.xml catalina.properties;
+ do
+ if [ -f "/etc/tomcat7/$i" ]; then
+ chown root:$TOMCAT7_GROUP /etc/tomcat7/$i
+ chmod 640 /etc/tomcat7/$i
+ fi
+ done
+ # configuration policy files should not be modifiable by the tomcat7 user. Only
+ # diverge from default permissions for known Debian files
+ chown root:$TOMCAT7_GROUP /etc/tomcat7/policy.d
+ for i in 01system.policy 02debian.policy 03catalina.policy 04webapps.policy 50local.policy;
+ do
+ if [ -f "/etc/tomcat7/policy.d/$i" ]; then
+ chown root:$TOMCAT7_GROUP /etc/tomcat7/policy.d/$i
+ chmod 640 /etc/tomcat7/policy.d/$i
+ fi
+ done
+ chown -Rh root:$TOMCAT7_GROUP /etc/tomcat7/Catalina
+
+ chown -Rh $TOMCAT7_USER:$TOMCAT7_GROUP /var/lib/tomcat7/webapps /var/lib/tomcat7/lib
chmod 775 /var/lib/tomcat7/webapps
chmod 775 /etc/tomcat7/Catalina /etc/tomcat7/Catalina/localhost
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list