Bug#845393: Pending fixes for bugs in the tomcat8 package
Le 3/12/2016 à 08:44, paul.sz...@sydney.edu.au a écrit : > Would it be worthwhile to handle them both in the same way? > Maybe some other things in postinst could get the same treatment. > (Simple is easier to keep secure.) Hi Paul, You are right I could have done the same thing for /etc/tomcat8/Catalina. I didn't to keep the stable update minimal. Emmanuel Bourg
Bug#845393: Pending fixes for bugs in the tomcat8 package
Dear Emmanuel, The two directories /etc/tomcat8/Catalina /etc/tomcat8/Catalina/localhost have similar ownership and permissions, but they are set up differently: localhost is "delivered" writable, while Catalina is delivered without but is then set so in postinst (and re-set at each upgrade). This seems confusing. Would it be worthwhile to handle them both in the same way? Maybe some other things in postinst could get the same treatment. (Simple is easier to keep secure.) Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#845393: Pending fixes for bugs in the tomcat8 package
Le 2/12/2016 à 00:48, paul.sz...@sydney.edu.au a écrit : > You seem to say that /etc/tomcat8/Catalina/localhost does not need to > be writable by tomcat8, setting it so was useless (thus wrong). For the stable update I've left /etc/tomcat8/Catalina/localhost writable by tomcat8. As you suggested the permissions are set at the file level inside the .deb and not in the postinst script. https://anonscm.debian.org/cgit/pkg-java/tomcat8.git/commit/?h=jessie=d28c720 > What about the /etc/tomcat8/Catalina directory, is there a need to set > it writable? Is there a need to have these owned by group tomcat8, could > they be left as root:root and world-accessible? Good question, I tend to agree. That's probably the next step, this is being discussed in #833257. Emmanuel Bourg
Bug#845393: Pending fixes for bugs in the tomcat8 package
tag 845393 + pending thanks Some bugs in the tomcat8 package are closed in revision d28c720ec76f020d4a4865931a58aba47f8bfc6b in branch ' jessie' by Emmanuel Bourg The full diff can be seen at https://anonscm.debian.org/cgit/pkg-java/tomcat8.git/commit/?id=d28c720 Commit message: Fixed a privilege escalation when the package is upgraded (Closes: #845393)
Bug#845393: Pending fixes for bugs in the tomcat8 package
Dear Emmanuel, (Yes I had tomcat6, then went to tomcat8, skipping tomcat7; and have inherited things.) You seem to say that /etc/tomcat8/Catalina/localhost does not need to be writable by tomcat8, setting it so was useless (thus wrong). What about the /etc/tomcat8/Catalina directory, is there a need to set it writable? Is there a need to have these owned by group tomcat8, could they be left as root:root and world-accessible? Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#845393: Pending fixes for bugs in the tomcat8 package
Le 2/12/2016 à 00:32, Markus Koschany a écrit : > Just my 2 cents about the "other" packages that install files into > /etc/tomcat8/Catalina/localhost. In my opinion they should just symlink > files into this path if at all. You mentioned jspwiki as one possible > candidate in one of your earlier emails but this one has been broken for > a long time now. It is probably easier to fix such issues in those > packages and not in Tomcat itself. You are absolutely right, I said files but the packages I was referring to (jspwiki and solr-jetty) install a symlink and not a file. I know these packages are broken/outdated, but they are the only examples of how web applications are supposed to be packaged in Debian. Emmanuel Bourg
Bug#845393: Pending fixes for bugs in the tomcat8 package
On 02.12.2016 00:15, Emmanuel Bourg wrote: > Le 1/12/2016 à 21:49, paul.sz...@sydney.edu.au a écrit : [...] >> Maybe /etc/tomcat8/Catalina/localhost is to be "delivered" writable from >> the DEB package, the ownership only to be fixed in postinst? In the >> current DEB, that directory is not group-writable. > > This is worth trying. The catch is that other packages also install > files into /etc/tomcat8/Catalina/localhost, so they all have to set the > permissions properly. I'll probably go down this path if someone has a > good argument supporting the use of copyXML=true. Just my 2 cents about the "other" packages that install files into /etc/tomcat8/Catalina/localhost. In my opinion they should just symlink files into this path if at all. You mentioned jspwiki as one possible candidate in one of your earlier emails but this one has been broken for a long time now. It is probably easier to fix such issues in those packages and not in Tomcat itself. Markus signature.asc Description: OpenPGP digital signature
Bug#845393: Pending fixes for bugs in the tomcat8 package
Le 1/12/2016 à 21:49, paul.sz...@sydney.edu.au a écrit : > Sorry for my previous outbursts. I was wrong. No problem, thanks a lot for the review. > However... will tomcat still "work"? On my machine, I have one XML file > /etc/tomcat8/Catalina/localhost/mapleta.xml > in there, for the one application(?) that is installed. I guess it was > tomcat that put it there: then tomcat needs write access to localhost. That's a good question, and I think it should be ok. Tomcat copies the META-INF/context.xml file from the web application into this directory and renames it if the Host element in server.xml has the copyXML attribute set to true (the default value is false). When copyXML is true and the directory is read-only an error is displayed in catalina.out and the web application is not loaded. The error looks like this: Error deploying web application directory /var/lib/tomcat8/webapps/foo java.nio.file.AccessDeniedException: /etc/tomcat8/Catalina/localhost/foo.xml The copyXML attribute was introduced in Tomcat 7, with Tomcat 6 the context.xml file was always copied (the behavior was thus equivalent to copyXML=true in later releases). In your case I guess you either inherited the mapleta.xml file from a Tomcat 6 installation migrated to Tomcat 7/8, put the file there manually and forgot about it, or have copyXML=true in server.xml. I'm not sure about the use case for copyXML=true. Once the context.xml file has been copied, the original file is always ignored, even if the web application is updated with a more recent context descriptor. Thus the first deployment of the application blocks any subsequent change to the context descriptor. That's a bit odd and I'd be interested to know why people are doing this. The use of context descriptors in /etc/tomcat8/Catalina/localhost is a valid strategy to override the default configuration of the web application, but the creation of this file is necessarily a manual operation, an automatic copy brings nothing useful. Due to the fact that copyXML defaults to false, and copyXML=true looks dubious, I think it's ok to keep the localhost directory ready-only for the tomcat8 user. > Maybe /etc/tomcat8/Catalina/localhost is to be "delivered" writable from > the DEB package, the ownership only to be fixed in postinst? In the > current DEB, that directory is not group-writable. This is worth trying. The catch is that other packages also install files into /etc/tomcat8/Catalina/localhost, so they all have to set the permissions properly. I'll probably go down this path if someone has a good argument supporting the use of copyXML=true. Emmanuel Bourg
Bug#845393: Pending fixes for bugs in the tomcat8 package
Dear Emmanuel, Sorry for my previous outbursts. I was wrong. Your fix (chmod-ing just Catalina, not localhost) is fine: if you do not chmod localhost, then there is no issue even if localhost is replaced by a symlink pointing somewhere. However... will tomcat still "work"? On my machine, I have one XML file /etc/tomcat8/Catalina/localhost/mapleta.xml in there, for the one application(?) that is installed. I guess it was tomcat that put it there: then tomcat needs write access to localhost. Maybe /etc/tomcat8/Catalina/localhost is to be "delivered" writable from the DEB package, the ownership only to be fixed in postinst? In the current DEB, that directory is not group-writable. Could you kindly explain how this all works. Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#845393: Pending fixes for bugs in the tomcat8 package
Hmm... I just accused you of being mistaken... but maybe it is I who is wrong. - Now thinking it through again. Cheers, Paul
Bug#845393: Pending fixes for bugs in the tomcat8 package
Dear Emmanuel, >> The bug depends on "Catalina" being writable; the permissions on >> "localhost" are irrelevant. > > The postinst script no longer runs chmod 755 on the localhost directory. > If I'm not mistaken this fixes the issue you reported. > > https://anonscm.debian.org/cgit/pkg-java/tomcat8.git/commit/?id=02570d6 > > The script still chmods the Catalina directory but this one can't be > replaced by a symlink. You are mistaken. Please re-read the original bug report. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#845393: Pending fixes for bugs in the tomcat8 package
Le 1/12/2016 à 20:37, paul.sz...@sydney.edu.au a écrit : > The bug depends on "Catalina" being writable; the permissions on > "localhost" are irrelevant. Hi Paul, The postinst script no longer runs chmod 755 on the localhost directory. If I'm not mistaken this fixes the issue you reported. https://anonscm.debian.org/cgit/pkg-java/tomcat8.git/commit/?id=02570d6 The script still chmods the Catalina directory but this one can't be replaced by a symlink. Emmanuel Bourg
Bug#845393: Pending fixes for bugs in the tomcat8 package
Dear Emmanuel, > No longer make /etc/tomcat8/Catalina/localhost writable ... The bug depends on "Catalina" being writable; the permissions on "localhost" are irrelevant. Please re-open. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#845393: Pending fixes for bugs in the tomcat8 package
tag 845393 + pending thanks Some bugs in the tomcat8 package are closed in revision 02570d621344cdc7cf3f3632fcbf6f6e024aa1d6 in branch ' experimental' by Emmanuel Bourg The full diff can be seen at https://anonscm.debian.org/cgit/pkg-java/tomcat8.git/commit/?id=02570d6 Commit message: No longer make /etc/tomcat8/Catalina/localhost writable by the tomcat8 user in the postinst script (Closes: #845393)
