On Tue, 19 Apr 2016 10:02:15 +0200 David_dev Dev <[email protected]> wrote: > Hi, > Thx for the answer. > > the jmxremote.password 600 mode is a mandatory from Tomcat configuration. > Is set to another mode tomcat will not start. > It's the same as the ~/.ssh/id_rsa configuration. > > Some corrections on the following answer : > - the script chown root:tomcat7 (and not root:root). > > I found the explanation of why for this choice by debian currently : > > # configuration files should not be modifiable by tomcat7 user, as this can > be a security issue > > # (an attacker may insert code in a webapp and have access to all > tomcat configuration) > > # but those files should be readable by tomcat7, so we set the > group to tomcat7 > > chown -Rh root:$TOMCAT7_GROUP /etc/tomcat7/* > > > Note that tomcat7 is launched by default by a tomcat7 user in debian > package (a good choice ! better than root :) )
That's correct. Our postinst script uses chown root:tomcat7. The default would be root:root as you can see in the apache2 package for example. If we used the default the files would be still readable by the tomcat7 user but the user couldn't write to them because they were owned by root. So in my opinion we should stop chowning /etc/tomcat7 completely. If we really need to set specific permissions for configuration files, it should be done on a case-by-case basis. By the way you could also change the file location of your password and access file by specifying -Dcom.sun.management.jmxremote.password.file -Dcom.sun.management.jmxremote.access.file See also https://tomcat.apache.org/tomcat-7.0-doc/config/listeners.html#JMX_Remote_Lifecycle_Listener_-_org.apache.catalina.mbeans.JmxRemoteLifecycleListener This information should also be available in Debian's tomcat7-docs package. > - the home of tomcat7 : wow i even don't see that configuration. Don't > known if it's a standard rule for debian application account ? not enough > knowledge of debian for that, but seem not be a problem. Indeed that's a different bug and not related to this issue. > - for the package, after reading a little more, i'm not sure the scrit > postinst is linked to tomcat-admin, but more to a core tomcat7. > tomcat7-admin seem to add only admin webapps for managing the tomcat. but > don't know how to find in which package the script come from. The postinst script is executed when you install tomcat7. Just take a look at the sources: https://anonscm.debian.org/cgit/pkg-java/tomcat7.git/tree/debian > And last, sorry for english, not my native langage :) No problem. > *** Some links about jmx config from most "official" site. I'm very > interesting by a debian doc about thisbut not seen with a quick search. I believe we don't ship specific instructions how to set up a JMX configuration but tomcat7-docs provides the official Tomcat documentation. Using /etc/tomcat7 wasn't the wrong choice. Regards, Markus
signature.asc
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
