Bug#925473: tomcat9: sysvinit script missing (Policy §9.11¶2 =?UTF-8?Q?=E2=80=9Cmust=E2=80=9D?=)
Thorsten Glaser
t.glaser at tarent.de
Sun Apr 7 14:28:47 BST 2019
On Sun, 7 Apr 2019, Ivo De Decker wrote:
> Also, I'm not sure adding an init script now is an approriate change
> for the freeze.
It is, it only touches systems on which it previously did not work.
> Some other changes suggested in this bug (like changes in systemd)
> certainly are not.
This was discussed for later. Emmanuel agreed that, if those changes
were not implemented for buster, the suggested patch to restore user
creation with adduser (trivial, fits into less than an ANSI screen
page, easy to audit) can go into this for buster.
> This bug should not be used as an argument to force these kind of
> changes for buster.
Indeed, and that was never my intention.
I would like to respectfully ask that this *not* be buster-ignored,
and to review the attached patch, which has been tested to indeed
unbreak sysvinit (and fixed some bugs detected during that).
Thanks in advance,
//mirabilos
--
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
-------------- next part --------------
diff -Nru tomcat9-9.0.16/debian/README.Debian tomcat9-9.0.16/debian/README.Debian
--- tomcat9-9.0.16/debian/README.Debian 2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/README.Debian 2019-04-01 16:26:55.000000000 +0200
@@ -54,6 +54,13 @@
systemctl daemon-reload
systemctl restart tomcat9
+ ⚠ This is supported only when Tomcat is started with the systemd unit.
+
+ Using Tomcat with other init systems is supported, however that will
+ negate the security hardening detailed above, make Tomcat not have
+ its own temporary directory, not drop privileges/capabilities after
+ start, and not be restarted on crashing. Use at your own risk.
+
* To run more than one Tomcat instance on your server, install the package
tomcat9-user and run the tomcat9-instance-create utility.
You should remove the tomcat9 package if you don't want Tomcat to
diff -Nru tomcat9-9.0.16/debian/changelog tomcat9-9.0.16/debian/changelog
--- tomcat9-9.0.16/debian/changelog 2019-02-26 09:31:13.000000000 +0100
+++ tomcat9-9.0.16/debian/changelog 2019-04-02 22:54:17.000000000 +0200
@@ -1,3 +1,21 @@
+tomcat9 (9.0.16-4) unstable; urgency=medium
+
+ * Team upload.
+ * debian/logging.properties: Add commented-out non-systemd configuration
+ * Make tomcat9 installable without systemd:
+ - Readd logic to create the system user via adduser
+ - Add sysvinit script, for init independence (Closes: #925473)
+ * debian/README.Debian: Document non-systemd risks
+ * debian/libexec/tomcat-locate-java.sh: Remove shebang and make
+ not executable as this is only ever sourced (makes no sense otherwise)
+ * Make the systemd startup script honour the (renamed) $SECURITY_MANAGER
+ * Remove -XX:+UseG1GC from standard JAVA_OPTS; the JRE chooses
+ a suitable GC automatically anyway (Closes: #925928)
+ * Correct the ownership and permissions on the log directory:
+ group adm and setgid (Closes: #925929)
+
+ -- Thorsten Glaser <tg at mirbsd.de> Tue, 02 Apr 2019 22:54:17 +0200
+
tomcat9 (9.0.16-3) unstable; urgency=medium
* Removed read/write access to /var/lib/solr (Closes: #923299)
diff -Nru tomcat9-9.0.16/debian/control tomcat9-9.0.16/debian/control
--- tomcat9-9.0.16/debian/control 2019-02-05 10:53:30.000000000 +0100
+++ tomcat9-9.0.16/debian/control 2019-04-01 16:26:55.000000000 +0200
@@ -47,7 +47,7 @@
Architecture: all
Depends:
lsb-base (>= 3.0-6),
- systemd (>= 215),
+ systemd (>= 215) | adduser,
tomcat9-common (>= ${source:Version}),
ucf,
${misc:Depends}
diff -Nru tomcat9-9.0.16/debian/copyright tomcat9-9.0.16/debian/copyright
--- tomcat9-9.0.16/debian/copyright 2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/copyright 2019-04-01 16:26:55.000000000 +0200
@@ -49,6 +49,7 @@
2013-2014, Gianfranco Costamagna <costamagnagianfranco at yahoo.it>
2013-2018, Emmanuel Bourg <ebourg at apache.org>
2001-2017, Markus Koschany <apo at debian.org>
+ 2015–2019, mirabilos <t.glaser at tarent.de>
License: Apache-2.0
License: Apache-2.0
diff -Nru tomcat9-9.0.16/debian/default.template tomcat9-9.0.16/debian/default.template
--- tomcat9-9.0.16/debian/default.template 2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/default.template 2019-04-01 17:15:52.000000000 +0200
@@ -3,9 +3,10 @@
# OpenJDK and the Oracle JDK are tried.
#JAVA_HOME=/usr/lib/jvm/java-8-openjdk
-# You may pass JVM startup parameters to Java here. If unset, the default
-# options will be: -Djava.awt.headless=true -XX:+UseG1GC
-JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC"
+# You may pass JVM startup parameters to Java here. If you run Tomcat with
+# Java 8 instead of 9 or newer, add "-XX:+UseG1GC" to select a suitable GC.
+# If unset, the default options will be: -Djava.awt.headless=true
+JAVA_OPTS="-Djava.awt.headless=true"
# To enable remote debugging uncomment the following line.
# You will then be able to use a Java debugger on port 8000.
diff -Nru tomcat9-9.0.16/debian/libexec/sysv-getjre.sh tomcat9-9.0.16/debian/libexec/sysv-getjre.sh
--- tomcat9-9.0.16/debian/libexec/sysv-getjre.sh 1970-01-01 01:00:00.000000000 +0100
+++ tomcat9-9.0.16/debian/libexec/sysv-getjre.sh 2019-04-01 16:26:55.000000000 +0200
@@ -0,0 +1,15 @@
+#!/bin/sh
+#
+# SYSVinit script helper to determine the JRE (for start-stop-daemon)
+#
+
+. /usr/libexec/tomcat9/tomcat-locate-java.sh
+set +e
+
+. /usr/share/tomcat9/bin/setclasspath.sh
+
+if test -n "$_RUNJAVA"; then
+ printf "OK<%s>" "$_RUNJAVA"
+else
+ echo UNSET
+fi
diff -Nru tomcat9-9.0.16/debian/libexec/sysv-start.sh tomcat9-9.0.16/debian/libexec/sysv-start.sh
--- tomcat9-9.0.16/debian/libexec/sysv-start.sh 1970-01-01 01:00:00.000000000 +0100
+++ tomcat9-9.0.16/debian/libexec/sysv-start.sh 2019-04-01 16:26:55.000000000 +0200
@@ -0,0 +1,33 @@
+#!/bin/sh
+#
+# SYSVinit script helper to wrap the systemd startup script
+#
+
+set -e
+
+# redirect stdio
+exec </dev/null
+exec >>/var/log/tomcat9/catalina.out
+exec 2>&1
+# write an initial log entry
+echo "[$(date +'%FT%T%z')] starting..."
+
+# make sure Tomcat is started with system locale
+
+# restore LC_ALL that was (un)set at initscript startup
+case $saved_LC_ALL in
+(x*) LC_ALL=${saved_LC_ALL#x} ;;
+(*) unset LC_ALL ;;
+esac
+# read global locale configuration
+test -r /etc/default/locale && . /etc/default/locale
+# export all POSIX locale-relevant environment variables if set
+for v in LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY \
+ LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE \
+ LC_MEASUREMENT LC_IDENTIFICATION LC_ALL; do
+ eval "x=\${$v-x}"
+ test x"$x" = x"x" || eval export "$v"
+done
+
+# hand control to the systemd startup script we wrap
+exec /usr/libexec/tomcat9/tomcat-start.sh "$@"
diff -Nru tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh
--- tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh 2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh 2019-04-01 16:26:55.000000000 +0200
@@ -1,4 +1,3 @@
-#!/bin/sh
#
# Script looking for a Java runtime suitable for running Tomcat
#
diff -Nru tomcat9-9.0.16/debian/libexec/tomcat-start.sh tomcat9-9.0.16/debian/libexec/tomcat-start.sh
--- tomcat9-9.0.16/debian/libexec/tomcat-start.sh 2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/libexec/tomcat-start.sh 2019-04-01 16:26:55.000000000 +0200
@@ -15,7 +15,7 @@
# Enable the Java security manager?
SECURITY=""
-[ "$TOMCAT_SECURITY" = "yes" ] && SECURITY="-security"
+[ "$SECURITY_MANAGER" = "true" ] && SECURITY="-security"
# Start Tomcat
diff -Nru tomcat9-9.0.16/debian/logging.properties tomcat9-9.0.16/debian/logging.properties
--- tomcat9-9.0.16/debian/logging.properties 2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/logging.properties 2019-04-01 16:26:55.000000000 +0200
@@ -33,7 +33,9 @@
2localhost.org.apache.juli.AsyncFileHandler.maxDays = 90
java.util.logging.ConsoleHandler.level = FINE
+# use one of these depending on whether you use systemd or not, or roll your own
java.util.logging.ConsoleHandler.formatter = org.apache.juli.SystemdFormatter
+#java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter
############################################################
diff -Nru tomcat9-9.0.16/debian/setenv.sh tomcat9-9.0.16/debian/setenv.sh
--- tomcat9-9.0.16/debian/setenv.sh 2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/setenv.sh 2019-04-01 17:15:52.000000000 +0200
@@ -8,5 +8,5 @@
# Default Java options
if [ -z "$JAVA_OPTS" ]; then
- JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC"
+ JAVA_OPTS="-Djava.awt.headless=true"
fi
diff -Nru tomcat9-9.0.16/debian/tomcat9.init tomcat9-9.0.16/debian/tomcat9.init
--- tomcat9-9.0.16/debian/tomcat9.init 1970-01-01 01:00:00.000000000 +0100
+++ tomcat9-9.0.16/debian/tomcat9.init 2019-04-01 16:26:55.000000000 +0200
@@ -0,0 +1,163 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides: tomcat9
+# Required-Start: $local_fs $remote_fs $network
+# Required-Stop: $local_fs $remote_fs $network
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Tomcat 9
+# Description: The Tomcat 9 servlet engine runs Java Web Archives.
+### END INIT INFO
+
+# stuff away, used later
+saved_LC_ALL=${LC_ALL+x$LC_ALL}
+export saved_LC_ALL
+
+# absolute basics
+LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin
+export LC_ALL PATH
+unset LANGUAGE
+
+# exit cleanly if disabled or not installed
+test -x /usr/libexec/tomcat9/sysv-start.sh || exit 0
+test -x /usr/libexec/tomcat9/sysv-getjre.sh || exit 0
+test -x /usr/libexec/tomcat9/tomcat-update-policy.sh || exit 0
+test -x /usr/libexec/tomcat9/tomcat-start.sh || exit 0
+
+# Debian/LSB init script foobar
+DESC='Tomcat 9 servlet engine'
+NAME=tomcat9
+readonly DESC NAME
+. /lib/init/vars.sh
+test -t 0 && VERBOSE=yes
+. /lib/lsb/init-functions
+
+# somewhat LSB-compliant exit with failure
+if test x"$1" = x"status"; then
+ exit_failure_msg() {
+ log_failure_msg "$@"
+ exit 4
+ }
+else
+ exit_failure_msg() {
+ log_failure_msg "$@"
+ exit 1
+ }
+fi
+
+# set defaults for options
+CATALINA_HOME=/usr/share/tomcat9
+CATALINA_BASE=/var/lib/tomcat9
+CATALINA_TMPDIR=/tmp/tomcat9-tmp
+export CATALINA_HOME CATALINA_BASE CATALINA_TMPDIR
+JAVA_HOME= # determined later if empty
+JAVA_OPTS=-Djava.awt.headless=true
+JSP_COMPILER= # only used if nonempty
+SECURITY_MANAGER=false
+export JAVA_HOME JAVA_OPTS JSP_COMPILER SECURITY_MANAGER
+UMASK=022
+export UMASK
+# read options
+test -r /etc/default/tomcat9 && . /etc/default/tomcat9
+
+# ensure the temporary directory exist and change to it
+rm -rf "$CATALINA_TMPDIR"
+mkdir "$CATALINA_TMPDIR" || \
+ exit_failure_msg 'could not create JVM temporary directory'
+chown -h tomcat "$CATALINA_TMPDIR"
+cd "$CATALINA_TMPDIR"
+
+# figure out the JRE executable catalina.sh will use
+# (we need it for start-stop-daemon --exec for reliability)
+_RUNJAVA=$(su tomcat -s /bin/sh -c /usr/libexec/tomcat9/sysv-getjre.sh) || \
+ _RUNJAVA="FAIL:$?"
+case $_RUNJAVA in
+('OK<'*'>')
+ _RUNJAVA=${_RUNJAVA#'OK<'}
+ _RUNJAVA=${_RUNJAVA%'>'}
+ ;;
+(*)
+ exit_failure_msg "could not determine JRE: $_RUNJAVA"
+ ;;
+esac
+
+# prepare for actions
+case $1 in
+(start|stop|restart|force-reload)
+ # handled below
+ ;;
+(try-restart|status)
+ start-stop-daemon --status --quiet \
+ --pidfile /var/run/tomcat9.pid \
+ --exec "$_RUNJAVA" --user tomcat
+ rv=$?
+ # clean up stale pidfile if necessary
+ (test x"$rv" = x"1" && rm -f /var/run/tomcat9.pid || :)
+ # process status result
+ case $1 in
+ (try-restart)
+ test x"$rv" = x"0" || {
+ # service is not running, or status is unknown
+ log_success_msg "$NAME is not running"
+ exit 0
+ }
+ # service running, restart it
+ ;;
+ (status)
+ case $rv in
+ (0)
+ log_success_msg "$NAME is running"
+ ;;
+ (4)
+ log_failure_msg "could not access PID file for $NAME"
+ ;;
+ (*)
+ log_failure_msg "$NAME is not running"
+ ;;
+ esac
+ exit $rv
+ ;;
+ esac
+ ;;
+(reload|*)
+ # not supported
+ echo >&2 "Usage: $0 {start|stop|restart|try-restart|force-reload|status}"
+ exit 3
+ ;;
+esac
+
+# handle stopping/starting
+rv=0
+
+case $1 in
+(stop|restart|try-restart|force-reload)
+ test x"$VERBOSE" = x"no" || log_daemon_msg "Stopping $DESC"
+ start-stop-daemon --stop --quiet \
+ --retry=10 --oknodo --remove-pidfile \
+ --pidfile /var/run/tomcat9.pid \
+ --exec "$_RUNJAVA" --user tomcat
+ rv=$?
+ test x"$VERBOSE" = x"no" || log_end_msg $rv
+ ;;
+esac
+
+test x"$rv" = x"0" || exit $rv
+
+case $1 in
+(start|restart|try-restart|force-reload)
+ /usr/libexec/tomcat9/tomcat-update-policy.sh || \
+ exit_failure_msg 'could not regenerating catalina.policy file'
+ rm -f /var/run/tomcat9.pid
+ test x"$VERBOSE" = x"no" || log_daemon_msg "Starting $DESC"
+ start-stop-daemon --start --quiet \
+ --chuid tomcat --umask "$UMASK" \
+ --startas /usr/libexec/tomcat9/sysv-start.sh \
+ --background --make-pidfile \
+ --pidfile /var/run/tomcat9.pid \
+ --exec "$_RUNJAVA" --user tomcat
+ rv=$?
+ test x"$VERBOSE" = x"no" || log_end_msg $rv
+ ;;
+esac
+
+exit $rv
diff -Nru tomcat9-9.0.16/debian/tomcat9.install tomcat9-9.0.16/debian/tomcat9.install
--- tomcat9-9.0.16/debian/tomcat9.install 2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/tomcat9.install 2019-04-02 22:51:30.000000000 +0200
@@ -8,5 +8,6 @@
debian/logrotate.template /usr/share/tomcat9/
debian/sysusers/*.conf /usr/lib/sysusers.d/
+debian/libexec/sysv-* /usr/libexec/tomcat9/
debian/libexec/tomcat-start.sh /usr/libexec/tomcat9/
debian/libexec/tomcat-update-policy.sh /usr/libexec/tomcat9/
diff -Nru tomcat9-9.0.16/debian/tomcat9.lintian-overrides tomcat9-9.0.16/debian/tomcat9.lintian-overrides
--- tomcat9-9.0.16/debian/tomcat9.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
+++ tomcat9-9.0.16/debian/tomcat9.lintian-overrides 2019-04-02 22:51:30.000000000 +0200
@@ -0,0 +1,2 @@
+# handled in dependencies and maintainer script as alternative
+tomcat9: maintainer-script-needs-depends-on-adduser postinst
diff -Nru tomcat9-9.0.16/debian/tomcat9.postinst tomcat9-9.0.16/debian/tomcat9.postinst
--- tomcat9-9.0.16/debian/tomcat9.postinst 2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/tomcat9.postinst 2019-04-02 22:54:04.000000000 +0200
@@ -12,8 +12,19 @@
case "$1" in
configure)
- # Create the tomcat user as defined in /usr/lib/sysusers.d/tomcat9.conf
- systemd-sysusers
+ # Check whether the tomcat user needs to be created
+ if id tomcat >/dev/null 2>&1; then
+ : no, it already exists
+ elif which systemd-sysusers >/dev/null; then
+ # Create the tomcat user as defined in /usr/lib/sysusers.d/tomcat9.conf
+ systemd-sysusers
+ else
+ # Create the tomcat user without systemd
+ adduser --system --home /var/lib/tomcat9 \
+ --shell /usr/sbin/nologin --no-create-home \
+ --group --disabled-password --disabled-login \
+ --gecos 'Apache Tomcat' tomcat
+ fi
# Install the configuration files
for conffile in $CONFFILES;
@@ -63,8 +74,10 @@
chmod 775 /var/lib/tomcat9/webapps
# Grant read/write access to tomcat to the log and cache directories
- chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/log/tomcat9/ /var/cache/tomcat9/
- chmod 750 /var/log/tomcat9/ /var/cache/tomcat9/
+ chown -Rh $TOMCAT_USER:adm /var/log/tomcat9/
+ chmod 2750 /var/log/tomcat9/
+ chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/cache/tomcat9/
+ chmod 750 /var/cache/tomcat9/
;;
esac
diff -Nru tomcat9-9.0.16/debian/tomcat9.service tomcat9-9.0.16/debian/tomcat9.service
--- tomcat9-9.0.16/debian/tomcat9.service 2019-02-26 09:30:59.000000000 +0100
+++ tomcat9-9.0.16/debian/tomcat9.service 2019-04-01 17:15:52.000000000 +0200
@@ -32,13 +32,13 @@
PrivateTmp=yes
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
-LogsDirectory=tomcat9
-LogsDirectoryMode=750
CacheDirectory=tomcat9
CacheDirectoryMode=750
ProtectSystem=strict
ReadWritePaths=/etc/tomcat9/Catalina/
ReadWritePaths=/var/lib/tomcat9/webapps/
+ReadWritePaths=/var/log/tomcat9/
+RequiresMountsFor=/var/log/tomcat9 /var/lib/tomcat9
[Install]
WantedBy=multi-user.target
diff -Nru tomcat9-9.0.16/debian/tomcat9.tmpfile tomcat9-9.0.16/debian/tomcat9.tmpfile
--- tomcat9-9.0.16/debian/tomcat9.tmpfile 1970-01-01 01:00:00.000000000 +0100
+++ tomcat9-9.0.16/debian/tomcat9.tmpfile 2019-04-01 17:15:52.000000000 +0200
@@ -0,0 +1,3 @@
+# type path mode uid gid age arg(symlink target)
+
+d /var/log/tomcat9 2750 tomcat adm -
More information about the pkg-java-maintainers
mailing list