On Tue, 2 Aug 2016 11:06:56 +0200 Markus Koschany <a...@debian.org> wrote:

> Tomcat 8 should not write files into /etc/tomcat8/Catalina.

The fact that Tomcat is able to write to /etc/tomcat8/Catalina
contributed to the vulnerability described in #845393.

This directory is writable because Tomcat copies the context.xml files
of the web applications there. This is controlled by the copyXML
attribute of the Host element in server.xml which is false by default. I
suspect this feature is rarely used, so we could simply make the
/etc/tomcat8/Catalina directory read-only for the tomcat8 user. That
would solve this bug and the #845393 vulnerability. If the administrator
wants to set copyXML to true, he will have to adjust the permissions of
the directory.

I observed that even when copyXML is false, Tomcat creates an empty
directory per virtualhost under /etc/tomcat8/Catalina (for example
/etc/tomcat8/Catalina/www.example.org). When I made
/etc/tomcat8/Catalina read-only Tomcat didn't complain, no error was
reported in the logs.

Emmanuel Bourg

Reply via email to