Bug#926338: tomcat9: tomcat user's home folder is '/'

[Alex]

Package: tomcat9
Version: 9.0.16-1~bpo9+1
Severity: important
Tags: d-i

Dear Maintainer,

With default `tomcat9` installation a system user is created as per the
following instructions:

    # Create the tomcat user as defined in /usr/lib/sysusers.d/tomcat9.conf
    systemd-sysusers


/usr/lib/sysusers.d/tomcat9.conf:
    #Type Name     ID     GECOS             Home directory Shell
    u     tomcat   -      "Apache Tomcat"   -              /usr/sbin/nologin


Which results in `/` (root folder) as a home dir
    grep tomcat /etc/passwd | awk -F: '{ print $6}'
    /

A problem begins when some of Tomcat's webapps are trying to access $HOME for writing. That's completely another question about _why_ they want to write to $HOME. But the whole idea having `/` as home dir is definitely insecure.


-- System Information:
Debian Release: 9.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-0.bpo.2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages tomcat9 depends on:
ii  lsb-base        9.20161125
ii  systemd         241-1~bpo9+1
ii  tomcat9-common  9.0.16-1~bpo9+1
ii  ucf             3.0036

Versions of packages tomcat9 recommends:
ii  libtcnative-1  1.2.21-1~bpo9+1

Versions of packages tomcat9 suggests:
ii  tomcat9-admin     9.0.16-1~bpo9+1
pn  tomcat9-docs      <none>
pn  tomcat9-examples  <none>
ii  tomcat9-user      9.0.16-1~bpo9+1

-- no debconf information