Bug#845385: Privilege escalation via removal
Emmanuel Bourg
ebourg at apache.org
Wed Nov 30 13:17:51 UTC 2016
Le 22/11/2016 à 23:35, Paul Szabo a écrit :
> Then if the tomcat8 package is removed (purged?), the postrm script runs
> chown -Rhf root:root /etc/tomcat8/
> and that will leave the file world-writable, setgid root
What about switching the files left to nobody:nogroup instead of
root:root? That would be less disruptive for the stable and oldstable
updates than removing /etc/tomcat8 completely.
Emmanuel Bourg
More information about the pkg-java-maintainers
mailing list