Package: tomcat9 Version: 9.0.16-1~bpo9+1 Severity: important Tags: d-i Dear Maintainer,
With default `tomcat9` installation a system user is created as per the following instructions: # Create the tomcat user as defined in /usr/lib/sysusers.d/tomcat9.conf systemd-sysusers /usr/lib/sysusers.d/tomcat9.conf: #Type Name ID GECOS Home directory Shell u tomcat - "Apache Tomcat" - /usr/sbin/nologin Which results in `/` (root folder) as a home dir grep tomcat /etc/passwd | awk -F: '{ print $6}' / A problem begins when some of Tomcat's webapps are trying to access $HOME for writing. That's completely another question about _why_ they want to write to $HOME. But the whole idea having `/` as home dir is definitely insecure. -- System Information: Debian Release: 9.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-0.bpo.2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages tomcat9 depends on: ii lsb-base 9.20161125 ii systemd 241-1~bpo9+1 ii tomcat9-common 9.0.16-1~bpo9+1 ii ucf 3.0036 Versions of packages tomcat9 recommends: ii libtcnative-1 1.2.21-1~bpo9+1 Versions of packages tomcat9 suggests: ii tomcat9-admin 9.0.16-1~bpo9+1 pn tomcat9-docs <none> pn tomcat9-examples <none> ii tomcat9-user 9.0.16-1~bpo9+1 -- no debconf information