Bug#821391: tomcat7-admin: Patch 7.0.28+deb-u4 overwrite owner of all /etc/tomcat7

Markus Koschany apo at debian.org
Tue Apr 19 07:00:58 UTC 2016


Am 18.04.2016 um 13:55 schrieb David CHALON:
> Package: tomcat7-admin
> Version: 7.0.28-4+deb7u4
> Severity: important
> 
> Dear Maintainer,
> *** Please consider answering these questions, where appropriate ***
> 
>    * What led up to the situation?
> 	All tomcat servers crash after the auto update via unattended-upgrade
>    * What exactly did you do (or not do) that was effective (or
>      ineffective)?
> 	Correct manually our specific owner files and restart tomcat7 service
>    * What was the outcome of this action?
> 	Impossible to start all the tomcat7 services (with JMX  configured)
>    * What outcome did you expect instead?
> 	that the patch don't modify files that don't come from the package.
> 
> Details :
> 	We use a tomcat7 debian installation.
> 	We modify to use tomcat7:tomcat7 user for the tomcat7 processes
> 	we want to add JMX access configuration with user/password access -> no debian doc found => configuration taken from "official" oracle documentation.
> 		=> put jmxremote.user and jmxremote.password in /etc/tomcat7 (symlinked to /var/lib/tomcat7/conf for official oracle path conservation)
> 		=> mandatory kmxremote.password = right 600 on the file and then we chown tomcat7:tomcat7 the file too.
> 
> 	We use unattended-upgrade for security patch. This morning -> deploying some tomcat7  patch on all serveurs.
> 	-> In the tomcat7.postinst there is chown -Rh root:(GROUP) on /etc/tomcat7 !
> 	=> jmxremote.password misconfigured and tomcat7 don't start... 
> 
> Ideas or solutions :
> 	Modify only files coming from the package.
> 	Or interesting on how debian want we configure the JMX access, as if we take official recommandation it leads to a fatal crash. 


Hello,

thank your for the report. The behavior you noticed is currently
intended but I wonder if we should continue to overwrite the standard
permissions (root:root) in /etc/tomcat{6,7,8} in the future. I'm not
sure if you really need to use 600 permissions on that file. Did you try
to remove the r flag with chmod o-r and keep Debian's standard
permissions of root:tomcat7 instead? That would also restrict read
access for other users but the tomcat7 user could still read the file
because it is also in group tomcat7.

We have to investigate this issue more thoroughly though because it
affects all Tomcat versions in Debian. I also find it strange that the
home directory of user tomcat7 is /usr/share/tomcat7 instead of
/var/lib/tomcat7. In /usr/share should never be a home directory in my
opinion.

Regards,

Markus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20160419/faf8e3a1/attachment.sig>


More information about the pkg-java-maintainers mailing list