Le 29/11/2016 à 23:45, Markus Koschany a écrit :

> I don't understand why this is a security issue when
> /etc/tomcat8/Catalina/attack is owned by root:root after the purge and
> the tomcat8 user doesn't even exist anymore.

My understanding is that the file is left with execution permissions for
all users and setgid root after the purge. Any local user can then take
control of the system.

Emmanuel Bourg

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to