[Git][java-team/tomcat9][fix-925929] 11 commits: add (commented-out) non-systemd logging configuration example
mirabilos
gitlab at salsa.debian.org
Mon Apr 1 15:28:33 BST 2019
mirabilos pushed to branch fix-925929 at Debian Java Maintainers / tomcat9
Commits:
0c85dd7f by mirabilos at 2019-03-28T16:11:13Z
add (commented-out) non-systemd logging configuration example
(from upstream, cf. commit ef2a6bf92e048d1cbf487e5bad4a5b0564e51af9)
- - - - -
131e4053 by mirabilos at 2019-03-28T16:13:44Z
make installable without systemd: add back adduser support
- - - - -
9ab8b8ac by mirabilos at 2019-03-28T16:28:47Z
document the missing hardening when not using systemd
- - - - -
7d1a0849 by mirabilos at 2019-03-28T17:08:16Z
lintian insists on oversea spelling here
- - - - -
b10968e0 by mirabilos at 2019-03-28T17:21:41Z
update lintian overrides for adduser as an OR’d dependency
- - - - -
93536ef6 by mirabilos at 2019-04-01T13:05:00Z
first cut at sysvinit script, wrapping the systemd script
- - - - -
964dd598 by mirabilos at 2019-04-01T13:06:22Z
make sourced scriptlet not executable (makes no sense anyway)
- - - - -
f7c0eaa8 by mirabilos at 2019-04-01T13:07:50Z
unbreak $SECURITY_MANAGER (which $TOMCAT_SECURITY was renamed to)
- - - - -
3bdb691d by mirabilos at 2019-04-01T13:42:13Z
small fixes in the init script
- - - - -
325b37d5 by mirabilos at 2019-04-01T14:25:09Z
drop -XX:+UseG1GC from standard JAVA_OPTS (Closes: #925928)
rationale: the JRE chooses a suitable GC automatically anyway,
and some VMs (notably Zero) don’t support this flag and then
refuse to start; but suggest Java 8 users to add it back,
from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925928#22
- - - - -
bb8ea718 by mirabilos at 2019-04-01T14:28:11Z
fix /var/log/tomcat9 to belong to group adm, chmod 2750 (Closes: #925929)
rationale: Debian commonplace allows users in the group adm
to read logs
also add missing RequiresMountsFor for systemd; related fixes
From: Felipe Sateler <fsateler at debian.org>
- - - - -
17 changed files:
- debian/README.Debian
- debian/changelog
- debian/control
- debian/copyright
- debian/default.template
- + debian/libexec/sysv-getjre.sh
- + debian/libexec/sysv-start.sh
- debian/libexec/tomcat-locate-java.sh
- debian/libexec/tomcat-start.sh
- debian/logging.properties
- debian/setenv.sh
- + debian/tomcat9.init
- debian/tomcat9.install
- + debian/tomcat9.lintian-overrides
- debian/tomcat9.postinst
- debian/tomcat9.service
- + debian/tomcat9.tmpfile
Changes:
=====================================
debian/README.Debian
=====================================
@@ -54,6 +54,13 @@ Getting started
systemctl daemon-reload
systemctl restart tomcat9
+ ⚠ This is supported only when Tomcat is started with the systemd unit.
+
+ Using Tomcat with other init systems is supported, however that will
+ negate the security hardening detailed above, make Tomcat not have
+ its own temporary directory, not drop privileges/capabilities after
+ start, and not be restarted on crashing. Use at your own risk.
+
* To run more than one Tomcat instance on your server, install the package
tomcat9-user and run the tomcat9-instance-create utility.
You should remove the tomcat9 package if you don't want Tomcat to
=====================================
debian/changelog
=====================================
@@ -1,3 +1,21 @@
+tomcat9 (9.0.16-4) UNRELEASED; urgency=medium
+
+ * Team upload.
+ * debian/logging.properties: Add commented-out non-systemd configuration
+ * Make tomcat9 installable without systemd:
+ - Readd logic to create the system user via adduser
+ - Add sysvinit script, for init independence (Closes: #925473)
+ * debian/README.Debian: Document non-systemd risks
+ * debian/libexec/tomcat-locate-java.sh: Remove shebang and make
+ not executable as this is only ever sourced (makes no sense otherwise)
+ * Make the systemd startup script honour the (renamed) $SECURITY_MANAGER
+ * Remove -XX:+UseG1GC from standard JAVA_OPTS; the JRE chooses
+ a suitable GC automatically anyway (Closes: #925928)
+ * Correct the ownership and permissions on the log directory:
+ group adm and setgid (Closes: #925929)
+
+ -- Thorsten Glaser <tg at mirbsd.de> Mon, 01 Apr 2019 15:42:02 +0200
+
tomcat9 (9.0.16-3) unstable; urgency=medium
* Removed read/write access to /var/lib/solr (Closes: #923299)
=====================================
debian/control
=====================================
@@ -47,7 +47,7 @@ Package: tomcat9
Architecture: all
Depends:
lsb-base (>= 3.0-6),
- systemd (>= 215),
+ systemd (>= 215) | adduser,
tomcat9-common (>= ${source:Version}),
ucf,
${misc:Depends}
=====================================
debian/copyright
=====================================
@@ -49,6 +49,7 @@ Copyright: 2008,2011, Canonical Ltd.
2013-2014, Gianfranco Costamagna <costamagnagianfranco at yahoo.it>
2013-2018, Emmanuel Bourg <ebourg at apache.org>
2001-2017, Markus Koschany <apo at debian.org>
+ 2015–2019, mirabilos <t.glaser at tarent.de>
License: Apache-2.0
License: Apache-2.0
=====================================
debian/default.template
=====================================
@@ -3,9 +3,10 @@
# OpenJDK and the Oracle JDK are tried.
#JAVA_HOME=/usr/lib/jvm/java-8-openjdk
-# You may pass JVM startup parameters to Java here. If unset, the default
-# options will be: -Djava.awt.headless=true -XX:+UseG1GC
-JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC"
+# You may pass JVM startup parameters to Java here. If you run Tomcat with
+# Java 8 instead of 9 or newer, add "-XX:+UseG1GC" to select a suitable GC.
+# If unset, the default options will be: -Djava.awt.headless=true
+JAVA_OPTS="-Djava.awt.headless=true"
# To enable remote debugging uncomment the following line.
# You will then be able to use a Java debugger on port 8000.
=====================================
debian/libexec/sysv-getjre.sh
=====================================
@@ -0,0 +1,15 @@
+#!/bin/sh
+#
+# SYSVinit script helper to determine the JRE (for start-stop-daemon)
+#
+
+. /usr/libexec/tomcat9/tomcat-locate-java.sh
+set +e
+
+. /usr/share/tomcat9/bin/setclasspath.sh
+
+if test -n "$_RUNJAVA"; then
+ printf "OK<%s>" "$_RUNJAVA"
+else
+ echo UNSET
+fi
=====================================
debian/libexec/sysv-start.sh
=====================================
@@ -0,0 +1,33 @@
+#!/bin/sh
+#
+# SYSVinit script helper to wrap the systemd startup script
+#
+
+set -e
+
+# redirect stdio
+exec </dev/null
+exec >>/var/log/tomcat9/catalina.out
+exec 2>&1
+# write an initial log entry
+echo "[$(date +'%FT%T%z')] starting..."
+
+# make sure Tomcat is started with system locale
+
+# restore LC_ALL that was (un)set at initscript startup
+case $saved_LC_ALL in
+(x*) LC_ALL=${saved_LC_ALL#x} ;;
+(*) unset LC_ALL ;;
+esac
+# read global locale configuration
+test -r /etc/default/locale && . /etc/default/locale
+# export all POSIX locale-relevant environment variables if set
+for v in LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY \
+ LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE \
+ LC_MEASUREMENT LC_IDENTIFICATION LC_ALL; do
+ eval "x=\${$v-x}"
+ test x"$x" = x"x" || eval export "$v"
+done
+
+# hand control to the systemd startup script we wrap
+exec /usr/libexec/tomcat9/tomcat-start.sh "$@"
=====================================
debian/libexec/tomcat-locate-java.sh
=====================================
@@ -1,4 +1,3 @@
-#!/bin/sh
#
# Script looking for a Java runtime suitable for running Tomcat
#
=====================================
debian/libexec/tomcat-start.sh
=====================================
@@ -15,7 +15,7 @@ export JAVA_OPTS
# Enable the Java security manager?
SECURITY=""
-[ "$TOMCAT_SECURITY" = "yes" ] && SECURITY="-security"
+[ "$SECURITY_MANAGER" = "true" ] && SECURITY="-security"
# Start Tomcat
=====================================
debian/logging.properties
=====================================
@@ -33,7 +33,9 @@ handlers = 1catalina.org.apache.juli.AsyncFileHandler, 2localhost.org.apache.jul
2localhost.org.apache.juli.AsyncFileHandler.maxDays = 90
java.util.logging.ConsoleHandler.level = FINE
+# use one of these depending on whether you use systemd or not, or roll your own
java.util.logging.ConsoleHandler.formatter = org.apache.juli.SystemdFormatter
+#java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter
############################################################
=====================================
debian/setenv.sh
=====================================
@@ -8,5 +8,5 @@ CATALINA_HOME=/usr/share/tomcat9
# Default Java options
if [ -z "$JAVA_OPTS" ]; then
- JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC"
+ JAVA_OPTS="-Djava.awt.headless=true"
fi
=====================================
debian/tomcat9.init
=====================================
@@ -0,0 +1,163 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides: tomcat9
+# Required-Start: $local_fs $remote_fs $network
+# Required-Stop: $local_fs $remote_fs $network
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Tomcat 9
+# Description: The Tomcat 9 servlet engine runs Java Web Archives.
+### END INIT INFO
+
+# stuff away, used later
+saved_LC_ALL=${LC_ALL+x$LC_ALL}
+export saved_LC_ALL
+
+# absolute basics
+LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin
+export LC_ALL PATH
+unset LANGUAGE
+
+# exit cleanly if disabled or not installed
+test -x /usr/libexec/tomcat9/sysv-start.sh || exit 0
+test -x /usr/libexec/tomcat9/sysv-getjre.sh || exit 0
+test -x /usr/libexec/tomcat9/tomcat-update-policy.sh || exit 0
+test -x /usr/libexec/tomcat9/tomcat-start.sh || exit 0
+
+# Debian/LSB init script foobar
+DESC='Tomcat 9 servlet engine'
+NAME=tomcat9
+readonly DESC NAME
+. /lib/init/vars.sh
+test -t 0 && VERBOSE=yes
+. /lib/lsb/init-functions
+
+# somewhat LSB-compliant exit with failure
+if test x"$1" = x"status"; then
+ exit_failure_msg() {
+ log_failure_msg "$@"
+ exit 4
+ }
+else
+ exit_failure_msg() {
+ log_failure_msg "$@"
+ exit 1
+ }
+fi
+
+# set defaults for options
+CATALINA_HOME=/usr/share/tomcat9
+CATALINA_BASE=/var/lib/tomcat9
+CATALINA_TMPDIR=/tmp/tomcat9-tmp
+export CATALINA_HOME CATALINA_BASE CATALINA_TMPDIR
+JAVA_HOME= # determined later if empty
+JAVA_OPTS=-Djava.awt.headless=true
+JSP_COMPILER= # only used if nonempty
+SECURITY_MANAGER=false
+export JAVA_HOME JAVA_OPTS JSP_COMPILER SECURITY_MANAGER
+UMASK=022
+export UMASK
+# read options
+test -r /etc/default/tomcat9 && . /etc/default/tomcat9
+
+# ensure the temporary directory exist and change to it
+rm -rf "$CATALINA_TMPDIR"
+mkdir "$CATALINA_TMPDIR" || \
+ exit_failure_msg 'could not create JVM temporary directory'
+chown -h tomcat "$CATALINA_TMPDIR"
+cd "$CATALINA_TMPDIR"
+
+# figure out the JRE executable catalina.sh will use
+# (we need it for start-stop-daemon --exec for reliability)
+_RUNJAVA=$(su tomcat -s /bin/sh -c /usr/libexec/tomcat9/sysv-getjre.sh) || \
+ _RUNJAVA="FAIL:$?"
+case $_RUNJAVA in
+('OK<'*'>')
+ _RUNJAVA=${_RUNJAVA#'OK<'}
+ _RUNJAVA=${_RUNJAVA%'>'}
+ ;;
+(*)
+ exit_failure_msg "could not determine JRE: $_RUNJAVA"
+ ;;
+esac
+
+# prepare for actions
+case $1 in
+(start|stop|restart|force-reload)
+ # handled below
+ ;;
+(try-restart|status)
+ start-stop-daemon --status --quiet \
+ --pidfile /var/run/tomcat9.pid \
+ --exec "$_RUNJAVA" --user tomcat
+ rv=$?
+ # clean up stale pidfile if necessary
+ (test x"$rv" = x"1" && rm -f /var/run/tomcat9.pid || :)
+ # process status result
+ case $1 in
+ (try-restart)
+ test x"$rv" = x"0" || {
+ # service is not running, or status is unknown
+ log_success_msg "$NAME is not running"
+ exit 0
+ }
+ # service running, restart it
+ ;;
+ (status)
+ case $rv in
+ (0)
+ log_success_msg "$NAME is running"
+ ;;
+ (4)
+ log_failure_msg "could not access PID file for $NAME"
+ ;;
+ (*)
+ log_failure_msg "$NAME is not running"
+ ;;
+ esac
+ exit $rv
+ ;;
+ esac
+ ;;
+(reload|*)
+ # not supported
+ echo >&2 "Usage: $0 {start|stop|restart|try-restart|force-reload|status}"
+ exit 3
+ ;;
+esac
+
+# handle stopping/starting
+rv=0
+
+case $1 in
+(stop|restart|try-restart|force-reload)
+ test x"$VERBOSE" = x"no" || log_daemon_msg "Stopping $DESC"
+ start-stop-daemon --stop --quiet \
+ --retry=10 --oknodo --remove-pidfile \
+ --pidfile /var/run/tomcat9.pid \
+ --exec "$_RUNJAVA" --user tomcat
+ rv=$?
+ test x"$VERBOSE" = x"no" || log_end_msg $rv
+ ;;
+esac
+
+test x"$rv" = x"0" || exit $rv
+
+case $1 in
+(start|restart|try-restart|force-reload)
+ /usr/libexec/tomcat9/tomcat-update-policy.sh || \
+ exit_failure_msg 'could not regenerating catalina.policy file'
+ rm -f /var/run/tomcat9.pid
+ test x"$VERBOSE" = x"no" || log_daemon_msg "Starting $DESC"
+ start-stop-daemon --start --quiet \
+ --chuid tomcat --umask "$UMASK" \
+ --startas /usr/libexec/tomcat9/sysv-start.sh \
+ --background --make-pidfile \
+ --pidfile /var/run/tomcat9.pid \
+ --exec "$_RUNJAVA" --user tomcat
+ rv=$?
+ test x"$VERBOSE" = x"no" || log_end_msg $rv
+ ;;
+esac
+
+exit $rv
=====================================
debian/tomcat9.install
=====================================
@@ -8,5 +8,6 @@ debian/default.template /usr/share/tomcat9/
debian/logrotate.template /usr/share/tomcat9/
debian/sysusers/*.conf /usr/lib/sysusers.d/
+debian/libexec/sysv-* /usr/libexec/tomcat9/
debian/libexec/tomcat-start.sh /usr/libexec/tomcat9/
debian/libexec/tomcat-update-policy.sh /usr/libexec/tomcat9/
=====================================
debian/tomcat9.lintian-overrides
=====================================
@@ -0,0 +1,2 @@
+# handled in dependencies and maintainer script as alternative
+tomcat9: maintainer-script-needs-depends-on-adduser postinst
=====================================
debian/tomcat9.postinst
=====================================
@@ -5,6 +5,7 @@
set -e
+# Note these are no longer configurable (as of commit 243d00dc688ea47f4c7cde570ccaaa70efe269bf)
TOMCAT_USER="tomcat"
TOMCAT_GROUP="tomcat"
@@ -12,8 +13,18 @@ CONFFILES="tomcat-users.xml web.xml server.xml logging.properties context.xml ca
case "$1" in
configure)
- # Create the tomcat user as defined in /usr/lib/sysusers.d/tomcat9.conf
- systemd-sysusers
+ if which systemd-sysusers >/dev/null; then
+ # Create the tomcat user as defined in /usr/lib/sysusers.d/tomcat9.conf
+ systemd-sysusers
+ elif id tomcat >/dev/null 2>&1; then
+ : The tomcat user already exists
+ else
+ # Create the tomcat user without systemd
+ adduser --system --home /var/lib/tomcat9 \
+ --shell /usr/sbin/nologin --no-create-home \
+ --group --disabled-password --disabled-login \
+ --gecos 'Apache Tomcat' tomcat
+ fi
# Install the configuration files
for conffile in $CONFFILES;
@@ -63,8 +74,10 @@ case "$1" in
chmod 775 /var/lib/tomcat9/webapps
# Grant read/write access to tomcat to the log and cache directories
- chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/log/tomcat9/ /var/cache/tomcat9/
- chmod 750 /var/log/tomcat9/ /var/cache/tomcat9/
+ chown -Rh $TOMCAT_USER:adm /var/log/tomcat9/
+ chmod 2750 /var/log/tomcat9/
+ chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/cache/tomcat9/
+ chmod 750 /var/cache/tomcat9/
;;
esac
=====================================
debian/tomcat9.service
=====================================
@@ -32,13 +32,13 @@ Group=tomcat
PrivateTmp=yes
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
-LogsDirectory=tomcat9
-LogsDirectoryMode=750
CacheDirectory=tomcat9
CacheDirectoryMode=750
ProtectSystem=strict
ReadWritePaths=/etc/tomcat9/Catalina/
ReadWritePaths=/var/lib/tomcat9/webapps/
+ReadWritePaths=/var/log/tomcat9/
+RequiresMountsFor=/var/log/tomcat9 /var/lib/tomcat9
[Install]
WantedBy=multi-user.target
=====================================
debian/tomcat9.tmpfile
=====================================
@@ -0,0 +1,3 @@
+# type path mode uid gid age arg(symlink target)
+
+d /var/log/tomcat9 2750 tomcat adm -
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/compare/78536e1d0c90ca1a2c6d3a056755415f0f68b839...bb8ea7183ca394d43b61ac4c6a20abd7dbffaadd
--
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/compare/78536e1d0c90ca1a2c6d3a056755415f0f68b839...bb8ea7183ca394d43b61ac4c6a20abd7dbffaadd
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20190401/d3ba0111/attachment.html>
More information about the pkg-java-commits
mailing list