Bug#821391: tomcat7-admin: Patch 7.0.28+deb-u4 overwrite owner of all /etc/tomcat7
Markus Koschany
apo at debian.org
Wed Apr 20 06:49:20 UTC 2016
On Tue, 19 Apr 2016 10:02:15 +0200 David_dev Dev <dcpc.dev at gmail.com> wrote:
> Hi,
> Thx for the answer.
>
> the jmxremote.password 600 mode is a mandatory from Tomcat configuration.
> Is set to another mode tomcat will not start.
> It's the same as the ~/.ssh/id_rsa configuration.
>
> Some corrections on the following answer :
> - the script chown root:tomcat7 (and not root:root).
>
> I found the explanation of why for this choice by debian currently :
>
> # configuration files should not be modifiable by tomcat7 user, as this can
> be a security issue
>
> # (an attacker may insert code in a webapp and have access to all
> tomcat configuration)
>
> # but those files should be readable by tomcat7, so we set the
> group to tomcat7
>
> chown -Rh root:$TOMCAT7_GROUP /etc/tomcat7/*
>
>
> Note that tomcat7 is launched by default by a tomcat7 user in debian
> package (a good choice ! better than root :) )
That's correct. Our postinst script uses chown root:tomcat7. The default
would be root:root as you can see in the apache2 package for example. If
we used the default the files would be still readable by the tomcat7
user but the user couldn't write to them because they were owned by root.
So in my opinion we should stop chowning /etc/tomcat7 completely. If we
really need to set specific permissions for configuration files, it
should be done on a case-by-case basis.
By the way you could also change the file location of your password and
access file by specifying
-Dcom.sun.management.jmxremote.password.file
-Dcom.sun.management.jmxremote.access.file
See also
https://tomcat.apache.org/tomcat-7.0-doc/config/listeners.html#JMX_Remote_Lifecycle_Listener_-_org.apache.catalina.mbeans.JmxRemoteLifecycleListener
This information should also be available in Debian's tomcat7-docs package.
> - the home of tomcat7 : wow i even don't see that configuration. Don't
> known if it's a standard rule for debian application account ? not enough
> knowledge of debian for that, but seem not be a problem.
Indeed that's a different bug and not related to this issue.
> - for the package, after reading a little more, i'm not sure the scrit
> postinst is linked to tomcat-admin, but more to a core tomcat7.
> tomcat7-admin seem to add only admin webapps for managing the tomcat. but
> don't know how to find in which package the script come from.
The postinst script is executed when you install tomcat7. Just take a
look at the sources:
https://anonscm.debian.org/cgit/pkg-java/tomcat7.git/tree/debian
> And last, sorry for english, not my native langage :)
No problem.
> *** Some links about jmx config from most "official" site. I'm very
> interesting by a debian doc about thisbut not seen with a quick search.
I believe we don't ship specific instructions how to set up a JMX
configuration but tomcat7-docs provides the official Tomcat
documentation. Using /etc/tomcat7 wasn't the wrong choice.
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20160420/cd85417f/attachment-0001.sig>
More information about the pkg-java-maintainers
mailing list