Bug#926338: tomcat9: tomcat user's home folder is '/'
Emmanuel Bourg
ebourg at apache.org
Sun Jun 2 22:29:51 BST 2019
Le 03/04/2019 à 18:40, Alex a écrit :
> A problem begins when some of Tomcat's webapps are trying to access $HOME for writing. That's completely another question about _why_ they want to write to $HOME. But the whole idea having `/` as home dir is definitely insecure.
The previous tomcat8 package created a 'tomcat8' user with
/var/libtomcat8/ as its home directory. /var/libtomcat8/ was chmod 755
root:root, so if I'm not mistaken tomcat8 couldn't write to its home
directory either.
The new tomcat9 package now creates a generic 'tomcat' user with no
version in the name. It's no longer possible to use /var/lib/tomcat9 as
home directory, that would be problematic when the tomcat9 package is
replaced by tomcat10.
I admit using / as home directory isn't perfect, but I fail to see how
this can be considered insecure.
What about setting the -Duser.home JVM parameter when Tomcat is started
instead of changing the system user home?
Emmanuel Bourg
More information about the pkg-java-maintainers
mailing list