Bug#825786: tomcat8: postinst script overwrites file permissions in /etc

Fri, 29 Jul 2016 02:25:00 -0700 

Control: tags -1 patch

On 27.07.2016 23:39, Emmanuel Bourg wrote:
> Le 27/07/2016 à 13:21, Markus Koschany a écrit :
> 
>> So the question is
>>
>> does Tomcat 7/8 need write access to the conf directory at runtime and
>> if yes why?
> 
> Yes it does: Tomcat extracts the META-INF/context.xml files from the
> .war archives into $CATALINA_BASE/conf/[enginename]/[hostname]/ and this
> happens at runtime.

Ok, here we go. Obviously the current setup is not FHS-conform and I
think we can do better.

>> I'm not convinced that overriding the permissions for all files
>> under /etc/tomcat{7,8} is something that can't be avoided and can only
>> be fixed in Tomcat 9.
> 
> I think we should set the permissions for the known tomcat files only
> and avoid touching the other ones. That is:
> 
>  Catalina
>  catalina.properties
>  context.xml
>  logging.properties
>  policy.d
>  server.xml
>  tomcat-users.xml
>  web.xml
> 
> I'd keep root:tomcat with 644 or 640 for the permissions. 640 would make
> sense since server.xml could contain datasource declarations with
> database credentials.

If we keep root:tomcat8 then I think 640 is sensible and appropriate.

I am attaching two patches for Tomcat 8 in unstable and Tomcat 8 in stable.

The patch for unstable will achieve the following:

1. Do not override file permissions for custom files in /etc/tomcat8 any
longer. Be explicit instead and only change them for known Debian files.

2. Make /var/lib/tomcat8/conf a real directory and remove the symlink.
   Instead symlink all Debian files from /etc/tomcat8 into
/var/lib/tomcat8/conf

3. Remove /etc/tomcat8/Catalina and move it into
/var/lib/tomcat8/conf/Catalina

4. Preserve all custom files and file permissions while performing this
operation.

5. Inform users about the change with a NEWS file.


The stable patch only implements point 1 that should address the issue
described in this bug report. Users will have more time to prepare for
the other changes.

Regards,

Markus


diff -Nru tomcat8-8.0.36/debian/changelog tomcat8-8.0.36/debian/changelog
--- tomcat8-8.0.36/debian/changelog     2016-06-14 14:35:00.000000000 +0200
+++ tomcat8-8.0.36/debian/changelog     2016-07-29 10:49:48.000000000 +0200
@@ -1,3 +1,19 @@
+tomcat8 (8.0.36-2) unstable; urgency=medium
+
+  * Team upload.
+  * Add NEWS file and inform users about the changes.
+  * tomcat8.postinst: Do not unconditionally override file permissions
+    in /etc/tomcat8 anymore. (Closes: #825786)
+  * Make /var/lib/tomcat8/conf a real directory and symlink all configuration
+    files into this directory.
+  * tomcat8.preinst: Move /etc/tomcat8/Catalina to
+    /var/lib/tomcat8/conf/Catalina because Tomcat extracts files at runtime
+    into this directory which is inappropriate for /etc. Preserve all custom
+    configuration files and move them into /var/lib/tomcat8/conf as well.
+  * Set all file permissions to 640 (rw-r--) in /etc/tomcat8.
+
+ -- Markus Koschany <[email protected]>  Fri, 29 Jul 2016 08:47:24 +0200
+
 tomcat8 (8.0.36-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru tomcat8-8.0.36/debian/NEWS tomcat8-8.0.36/debian/NEWS
--- tomcat8-8.0.36/debian/NEWS  1970-01-01 01:00:00.000000000 +0100
+++ tomcat8-8.0.36/debian/NEWS  2016-07-29 10:49:48.000000000 +0200
@@ -0,0 +1,16 @@
+tomcat8 (8.0.36-2) unstable; urgency=medium
+
+    This update removes the symlink from /var/lib/tomcat8/conf to /etc/tomcat8.
+    The conf directory has been replaced by a real directory. All global
+    configuration files are now directly symlinked into /var/lib/tomcat8/conf
+    with the notable exception of /etc/tomcat8/Catalina which has been moved
+    into /var/lib/tomcat8/conf.
+
+    The reasoning for this change is that Tomcat extracts files into the
+    Catalina directory at runtime. Since /etc is for static files only,
+    /var/lib/tomcat8/conf/Catalina is a more suitable location.
+
+    All custom files have been preserved and moved into /var/lib/tomcat8/conf.
+    It is safe to remove them from /etc/tomcat8 now.
+
+ -- Markus Koschany <[email protected]>  Fri, 29 Jul 2016 10:32:20 +0200
diff -Nru tomcat8-8.0.36/debian/tomcat8.dirs tomcat8-8.0.36/debian/tomcat8.dirs
--- tomcat8-8.0.36/debian/tomcat8.dirs  2016-06-14 13:59:19.000000000 +0200
+++ tomcat8-8.0.36/debian/tomcat8.dirs  2016-07-29 10:49:48.000000000 +0200
@@ -1,6 +1,6 @@
 var/log/tomcat8
+var/lib/tomcat8/conf/Catalina/localhost
 var/lib/tomcat8/lib
 var/lib/tomcat8/webapps
 var/cache/tomcat8
-etc/tomcat8/Catalina/localhost
 etc/logrotate.d
diff -Nru tomcat8-8.0.36/debian/tomcat8.links 
tomcat8-8.0.36/debian/tomcat8.links
--- tomcat8-8.0.36/debian/tomcat8.links 2016-06-14 13:59:19.000000000 +0200
+++ tomcat8-8.0.36/debian/tomcat8.links 2016-07-29 10:49:48.000000000 +0200
@@ -1,4 +1,10 @@
-/etc/tomcat8 /var/lib/tomcat8/conf
+/etc/tomcat8/policy.d /var/lib/tomcat8/conf/policy.d
+/etc/tomcat8/catalina.properties /var/lib/tomcat8/conf/catalina.properties
+/etc/tomcat8/context.xml /var/lib/tomcat8/conf/context.xml
+/etc/tomcat8/logging.properties /var/lib/tomcat8/conf/logging.properties
+/etc/tomcat8/server.xml /var/lib/tomcat8/conf/server.xml
+/etc/tomcat8/tomcat-users.xml /var/lib/tomcat8/conf/tomcat-users.xml
+/etc/tomcat8/web.xml /var/lib/tomcat8/conf/web.xml
 /var/cache/tomcat8 /var/lib/tomcat8/work
 /var/log/tomcat8 /var/lib/tomcat8/logs
 /usr/share/doc/tomcat8-common/README.Debian 
/usr/share/doc/tomcat8/README.Debian
diff -Nru tomcat8-8.0.36/debian/tomcat8.postinst 
tomcat8-8.0.36/debian/tomcat8.postinst
--- tomcat8-8.0.36/debian/tomcat8.postinst      2016-06-14 13:59:19.000000000 
+0200
+++ tomcat8-8.0.36/debian/tomcat8.postinst      2016-07-29 10:49:48.000000000 
+0200
@@ -48,13 +48,28 @@
        # configuration files should not be modifiable by tomcat8 user, as this 
can be a security issue
        # (an attacker may insert code in a webapp and have access to all 
tomcat configuration)
        # but those files should be readable by tomcat8, so we set the group to 
tomcat8
-       chown -Rh root:$TOMCAT8_GROUP /etc/tomcat8/*
-       if [ -f /etc/tomcat8/tomcat-users.xml ] ; then
-               chmod 640 /etc/tomcat8/tomcat-users.xml
-       fi
+       for i in tomcat-users.xml web.xml server.xml logging.properties 
context.xml catalina.properties;
+       do
+               chown root:$TOMCAT8_GROUP /etc/tomcat8/$i
+               chmod 640 /etc/tomcat8/$i
+       done
+       # configuration policy files should not be modifiable by the tomcat8 
user. Only
+       # diverge from default permissions for known Debian files
+       chown root:$TOMCAT8_GROUP /etc/tomcat8/policy.d/
+       for i in 01system.policy 02debian.policy 03catalina.policy 
04webapps.policy 50local.policy;
+       do
+               chown root:$TOMCAT8_GROUP /etc/tomcat8/policy.d/$i
+               chmod 640 /etc/tomcat8/policy.d/$i
+       done
+       # Tomcat extracts the META-INF/context.xml from war archives into
+       # $CATALINA_BASE/conf/[enginename]/[hostname] at runtime. Therefore 
group tomcat8
+       # needs write permissions
+       chown root:$TOMCAT8_GROUP /var/lib/tomcat8/conf/Catalina/localhost
+       chmod 775 /var/lib/tomcat8/conf/Catalina 
/var/lib/tomcat8/conf/Catalina/localhost
+       # $CATALINA_BASE/webapps and $CATALINA_BASE/lib should be readable and
+       # writable by the tomcat8 user
        chown -Rh $TOMCAT8_USER:$TOMCAT8_GROUP /var/lib/tomcat8/webapps 
/var/lib/tomcat8/lib
        chmod 775 /var/lib/tomcat8/webapps
-       chmod 775 /etc/tomcat8/Catalina /etc/tomcat8/Catalina/localhost
 
        # Authorize user tomcat8 to open privileged ports via authbind.
        TOMCAT_UID="`id -u $TOMCAT8_USER`"
diff -Nru tomcat8-8.0.36/debian/tomcat8.postrm.in 
tomcat8-8.0.36/debian/tomcat8.postrm.in
--- tomcat8-8.0.36/debian/tomcat8.postrm.in     2016-06-14 13:59:19.000000000 
+0200
+++ tomcat8-8.0.36/debian/tomcat8.postrm.in     2016-07-29 10:49:48.000000000 
+0200
@@ -59,8 +59,7 @@
         if [ -d "/var/lib/tomcat8" ] ; then
             rmdir --ignore-fail-on-non-empty /var/lib/tomcat8
         fi
-        rmdir --ignore-fail-on-non-empty /etc/tomcat8/policy.d \
-          /etc/tomcat8/Catalina/localhost /etc/tomcat8/Catalina /etc/tomcat8
+        rmdir --ignore-fail-on-non-empty /etc/tomcat8/policy.d /etc/tomcat8
         # clean up /etc/authbind after conffiles have been removed
         rmdir --ignore-fail-on-non-empty /etc/authbind/byuid /etc/authbind
         # Put all files owned by group tomcat8 back into root group before 
deleting
diff -Nru tomcat8-8.0.36/debian/tomcat8.preinst 
tomcat8-8.0.36/debian/tomcat8.preinst
--- tomcat8-8.0.36/debian/tomcat8.preinst       1970-01-01 01:00:00.000000000 
+0100
+++ tomcat8-8.0.36/debian/tomcat8.preinst       2016-07-29 10:49:48.000000000 
+0200
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+    upgrade)
+        if dpkg --compare-versions "$2" lt "8.0.36-2~"; then
+            rm -f /var/lib/tomcat8/conf
+            mkdir -p /var/lib/tomcat8/conf/Catalina/localhost
+            cp -ar /etc/tomcat8/* /var/lib/tomcat8/conf/
+            rm -rf /var/lib/tomcat8/conf/policy.d
+            ln -s /etc/tomcat8/policy.d var/lib/tomcat8/conf/policy.d
+            rm -rf /etc/tomcat8/Catalina
+        fi
+    ;;
+    install|abort-upgrade)
+    ;;
+    *)
+      echo "preinst called with unknown argument '$1'" >&2
+      exit 1
+    ;;
+esac
+
+#DEBHELPER#
+

From ef6676dfba6ef0380ee655a2e3284b553d7dc6b6 Mon Sep 17 00:00:00 2001
From: Markus Koschany <[email protected]>
Date: Fri, 29 Jul 2016 11:04:29 +0200
Subject: [PATCH] fix 825786 for tomcat8-stable

---
 debian/tomcat8.postinst | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/debian/tomcat8.postinst b/debian/tomcat8.postinst
index 306a0b1..ced5f04 100644
--- a/debian/tomcat8.postinst
+++ b/debian/tomcat8.postinst
@@ -48,10 +48,21 @@ case "$1" in
 	# configuration files should not be modifiable by tomcat8 user, as this can be a security issue
 	# (an attacker may insert code in a webapp and have access to all tomcat configuration)
 	# but those files should be readable by tomcat8, so we set the group to tomcat8
-	chown -Rh root:$TOMCAT8_GROUP /etc/tomcat8/*
-	if [ -f /etc/tomcat8/tomcat-users.xml ] ; then
-		chmod 640 /etc/tomcat8/tomcat-users.xml
-	fi
+	for i in tomcat-users.xml web.xml server.xml logging.properties context.xml catalina.properties;
+	do
+		chown root:$TOMCAT8_GROUP /etc/tomcat8/$i
+		chmod 640 /etc/tomcat8/$i
+	done
+	# configuration policy files should not be modifiable by the tomcat8 user. Only
+	# diverge from default permissions for known Debian files
+	chown root:$TOMCAT8_GROUP /etc/tomcat8/policy.d
+	for i in 01system.policy 02debian.policy 03catalina.policy 04webapps.policy 50local.policy;
+	do
+		chown root:$TOMCAT8_GROUP /etc/tomcat8/policy.d/$i
+		chmod 640 /etc/tomcat8/policy.d/$i
+	done
+	chown -Rh root:$TOMCAT8_GROUP /etc/tomcat8/Catalina
+
 	chown -Rh $TOMCAT8_USER:$TOMCAT8_GROUP /var/lib/tomcat8/webapps /var/lib/tomcat8/lib
 	chmod 775 /var/lib/tomcat8/webapps
 	chmod 775 /etc/tomcat8/Catalina /etc/tomcat8/Catalina/localhost
-- 
2.8.1

Attachment: signature.asc
Description: OpenPGP digital signature

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
[email protected] for discussions and questions.

Reply via email to