Bug#926338: tomcat9: tomcat user's home folder is '/'
David Magda
David.Magda at oicr.on.ca
Mon Sep 21 19:20:07 BST 2020
On Sun, 2 Jun 2019 23:29:51 +0200, Emmanuel Bourg wrote:
> I admit using / as home directory isn't perfect, but I fail to see how
> this can be considered insecure.
>
> What about setting the -Duser.home JVM parameter when Tomcat is started
> instead of changing the system user home?
Tomcat is operating at two levels: the operating system and the application.
Using "-Duser.home" is useful for telling the application itself where
to look for things, but less so for doing some operations at the OS layer.
One example is for CI/CD infrastructure: if someone wants to use (say)
Jenkins to deploy WAR files as they update code, and want to use SSH
keys for getting into front-end Tomcat systems, where would they put the
authorized_keys(5) file?
SSHd looks for it in "${HOME}/.ssh/" by default, which would mean "/.ssh/".
So where would one put it? Should the passwd(5) file simply be edited
manually after installation?
More information about the pkg-java-maintainers
mailing list