Bug#825786: tomcat8: postinst script overwrites file permissions in /etc

Emmanuel Bourg ebourg at apache.org
Wed Jul 27 21:39:06 UTC 2016


Le 27/07/2016 à 13:21, Markus Koschany a écrit :

> So the question is
> 
> does Tomcat 7/8 need write access to the conf directory at runtime and
> if yes why?

Yes it does: Tomcat extracts the META-INF/context.xml files from the
.war archives into $CATALINA_BASE/conf/[enginename]/[hostname]/ and this
happens at runtime.


> I'm not convinced that overriding the permissions for all files
> under /etc/tomcat{7,8} is something that can't be avoided and can only
> be fixed in Tomcat 9.

I think we should set the permissions for the known tomcat files only
and avoid touching the other ones. That is:

 Catalina
 catalina.properties
 context.xml
 logging.properties
 policy.d
 server.xml
 tomcat-users.xml
 web.xml

I'd keep root:tomcat with 644 or 640 for the permissions. 640 would make
sense since server.xml could contain datasource declarations with
database credentials.



More information about the pkg-java-maintainers mailing list