Bug#576875: tomcat6: Allow running the init script as a normal user, not admin

Emmanuel Bourg ebourg at apache.org
Thu Nov 17 22:11:23 UTC 2016


Le 21/07/2016 à 13:52, Emmanuel Bourg a écrit :
> I don't think any user can start Tomcat, because the init script has to
> switch to the tomcat user at some point and this requires root privileges.

The init.d script also generates the catalina.policy file as read-only
for the tomcat user, and this must be performed as root.


> That said the 'status' option should be usable by anyone. Currently it's
> restricted to the administrator.

This is no longer true with systemd, anyone can run:

    systemctl status tomcat8.service


> Should the tomcat user be allowed to control the daemon? I'm not sure
> this is a good idea, because a simple malicious JSP could then stop the
> server.

Actually a malicious JSP or an exploited vulnerability in a web
application can already stop the server simply by executing 'killall
java' (if the security manager is disabled).

Emmanuel Bourg



More information about the pkg-java-maintainers mailing list