Bug#532284: Permissions for tomcat6

Thierry Carrez thierry.carrez at ubuntu.com
Wed Aug 19 14:12:16 UTC 2009


I'm not sure it's a good change. When I worked on tomcat6 packaging, I
changed the permissions used in tomcat5.5 on purpose.

/etc/tomcat6:

This was set to root:root 644, with two exceptions:
- tomcat-users.xml that needs to be read by tomcat and hidden to users,
so it is root:tomcat6 640
- Catalina directory that should allow autodeploy of new contexts by
tomcat, so it is root:tomcat6 775

The idea behind this was to specifically *exclude* the tomcat6 user from
messing with key configuration files like server.xml or
tomcat-users.xml, and it is a security measure against any traversal by
the tomcat6 user.

Your argument is that "you need to be root to configure Tomcat". Well,
this mimics what is done for every other daemon out there: allow root to
configure it, and do not allow the user the daemon is run under to
modify its own configuration. See /etc/apache2 for an example of this.

/var/lib/tomcat6/webapps:

This was set to 775 root:tomcat6 so that tomcat can autodeploy
applications. Additionally, members of the tomcat6 group are also
allowed to deploy applications.

Changing that to tomcat6:adm just transfers that capability from the
"tomcat6" group to the "adm" group. Looks like we lose some granularity,
 and I fail to see why adding users to the tomcat6 group "does not look
like a good idea". But I can live with that :)

-- 
Thierry Carrez





More information about the pkg-java-maintainers mailing list