On Wed, 23 Nov 2016 09:35:34 +1100 Paul Szabo <paul.sz...@sydney.edu.au>
wrote:
> Package: tomcat8
> Version: 8.0.14-1+deb8u4
> Severity: critical
> Tags: security
> 
> Having installed tomcat8, the directory /etc/tomcat8/Catalina is set
> writable by group tomcat8, as per the postinst script. Then the tomcat8
> user, in the situation envisaged in DSA-3670 and DSA-3720, see also
>   http://seclists.org/fulldisclosure/2016/Oct/4
> could use something like commands
>   touch /etc/tomcat8/Catalina/attack
>   chmod 2747 /etc/tomcat8/Catalina/attack
> to create a file:
>   # ls -l /etc/tomcat8/Catalina/attack
>   -rwxr-Srwx 1 tomcat8 tomcat8 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack
> Then if the tomcat8 package is removed (purged?), the postrm script runs
>   chown -Rhf root:root /etc/tomcat8/
> and that will leave the file world-writable, setgid root:
>   # ls -l /etc/tomcat8/Catalina/attack
>   -rwxr-Srwx 1 root root 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack
> allowing "group root" access to the world.

I don't understand why this is a security issue when
/etc/tomcat8/Catalina/attack is owned by root:root after the purge and
the tomcat8 user doesn't even exist anymore.

Markus


Attachment: signature.asc
Description: OpenPGP digital signature

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to