Le 03/04/2019 à 18:40, Alex a écrit : > A problem begins when some of Tomcat's webapps are trying to access $HOME for > writing. That's completely another question about _why_ they want to write to > $HOME. But the whole idea having `/` as home dir is definitely insecure.
The previous tomcat8 package created a 'tomcat8' user with /var/libtomcat8/ as its home directory. /var/libtomcat8/ was chmod 755 root:root, so if I'm not mistaken tomcat8 couldn't write to its home directory either. The new tomcat9 package now creates a generic 'tomcat' user with no version in the name. It's no longer possible to use /var/lib/tomcat9 as home directory, that would be problematic when the tomcat9 package is replaced by tomcat10. I admit using / as home directory isn't perfect, but I fail to see how this can be considered insecure. What about setting the -Duser.home JVM parameter when Tomcat is started instead of changing the system user home? Emmanuel Bourg __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
