Bug#825786: tomcat8: postinst script overwrites file permissions in /etc

[Markus Koschany]

On Sun, 29 May 2016 23:46:15 +0200 Markus Koschany <apo at debian.org> wrote:
> clone 821391 -1
> reassign -1 src:tomcat8
> retitle -1 tomcat8: postinst script overwrites file permissions in /etc
> thanks
> 
> This bug also affects Tomcat 8.
> 
> 
> I have prepared another security update and I intend to change the
> current behavior in Jessie and Sid for new installations to avoid
> similar breakage when upgrading Tomcat 8.
> 
> Currently tomcat8.postinst changes file ownership of all files in
> /etc/tomcat8 to root:tomcat8. I think this isn't necessary because the
> default is to use root:root (rw-r-r) which ensures that all
> configuration files can still be read by Tomcat8. The only security
> relevant file is /etc/tomcat8/tomcat-users.xml in the default Debian
> configuration. I propose to modify only this one by changing the line
> 
> chown -Rh root:$TOMCAT8_GROUP /etc/tomcat8/*
> 
> to
> 
> chown root:$TOMCAT8_GROUP /etc/tomcat8/tomcat-users.xml
> 
> 
> This should address the issue.

I would like to go ahead with this solution in unstable. I don't think
that changing the permissions in /etc/tomcat8/policy.d (security
manager) to root:root will have a negative effect, on the contrary.
Those rules should only be modifiable by the system administrator anyway.

Regarding /etc/tomcat8/Catalina I couldn't find any information that
indicate a necessity for write access to this directory. It would also
be wrong if a process wrote to /etc because all files in /etc should be
static according to the FHS.

I would also update the Tomcat7 package.

Markus



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20160722/cf79e831/attachment-0001.sig>