[tomcat7] 01/03: Do not unconditionally override files in /etc/tomcat7

Tue, 02 Aug 2016 03:35:31 -0700 

This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch master
in repository tomcat7.

commit 480c38b27416e4ca6ae247796d657e9d515b9772
Author: Markus Koschany <[email protected]>
Date:   Tue Aug 2 11:41:32 2016 +0200

    Do not unconditionally override files in /etc/tomcat7
    
    Closes: #821391
---
 debian/tomcat7.postinst | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/debian/tomcat7.postinst b/debian/tomcat7.postinst
index df949df..a133d64 100644
--- a/debian/tomcat7.postinst
+++ b/debian/tomcat7.postinst
@@ -45,13 +45,28 @@ case "$1" in
        ucf --debconf-ok --sum-file /usr/share/tomcat7/logrotate.md5sum 
$tmpfile $LR_CONFFILE
        rm -f $tmpfile
 
-       # configuration files should not be modifiable by tomcat7 user, as this 
can be a security issue
+       # configuration files should not be modifiable by tomcat8 user, as this 
can be a security issue
        # (an attacker may insert code in a webapp and have access to all 
tomcat configuration)
        # but those files should be readable by tomcat7, so we set the group to 
tomcat7
-       chown -Rh root:$TOMCAT7_GROUP /etc/tomcat7/*
-       if [ -f /etc/tomcat7/tomcat-users.xml ] ; then
-               chmod 640 /etc/tomcat7/tomcat-users.xml
-       fi
+       for i in tomcat-users.xml web.xml server.xml logging.properties 
context.xml catalina.properties;
+       do
+               if [ -f "/etc/tomcat7/$i" ]; then
+                       chown root:$TOMCAT7_GROUP /etc/tomcat7/$i
+                       chmod 640 /etc/tomcat7/$i
+               fi
+       done
+       # configuration policy files should not be modifiable by the tomcat7 
user. Only
+       # diverge from default permissions for known Debian files
+       chown root:$TOMCAT8_GROUP /etc/tomcat8/policy.d
+       for i in 01system.policy 02debian.policy 03catalina.policy 
04webapps.policy 50local.policy;
+       do
+               if [ -f "/etc/tomcat7/policy.d/$i" ]; then
+                       chown root:$TOMCAT7_GROUP /etc/tomcat7/policy.d/$i
+                       chmod 640 /etc/tomcat7/policy.d/$i
+               fi
+       done
+       chown -Rh root:$TOMCAT7_GROUP /etc/tomcat7/Catalina
+
        chown -Rh $TOMCAT7_USER:$TOMCAT7_GROUP /var/lib/tomcat7/webapps 
/var/lib/tomcat7/common /var/lib/tomcat7/server /var/lib/tomcat7/shared
        chmod 775 /var/lib/tomcat7/webapps
        chmod 775 /etc/tomcat7/Catalina /etc/tomcat7/Catalina/localhost

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-java/tomcat7.git

_______________________________________________
pkg-java-commits mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits

Reply via email to