Comparing build logs I see:
Xenial:
dh_fixperms
# Make the/etc/tomcat8/Catalina/localhost directory writable by the tomcat user
for PACKAGE in tomcat8 tomcat8-admin tomcat8-docs tomcat8-examples; do \
chmod 775 --verbose debian/$PACKAGE/etc/tomcat8/Catalina/localhost; \
done
mode of 'debian/tomcat8/etc/tomcat8/Catalina/localhost' changed from 0755
(rwxr-xr-x) to 0775 (rwxrwxr-x)
mode of 'debian/tomcat8-admin/etc/tomcat8/Catalina/localhost' changed from 0755
(rwxr-xr-x) to 0775 (rwxrwxr-x)
mode of 'debian/tomcat8-docs/etc/tomcat8/Catalina/localhost' changed from 0755
(rwxr-xr-x) to 0775 (rwxrwxr-x)
mode of 'debian/tomcat8-examples/etc/tomcat8/Catalina/localhost' changed from
0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)
And Bionic lacks the same.
That change was in debian/rules and dropped this:
-override_dh_fixperms:
- dh_fixperms
- # Make the/etc/tomcat8/Catalina/localhost directory writable by the
tomcat user
- for PACKAGE in tomcat8 tomcat8-admin tomcat8-docs tomcat8-examples; do \
- chmod 775 --verbose debian/$$PACKAGE/etc/tomcat8/Catalina/localhost; \
- done
In Xenial that was added by pkg/import/8.0.32-1ubuntu1.3:
* SECURITY UPDATE: privilege escalation during package upgrade
- debian/rules, debian/tomcat8.postinst: properly set permissions on
/etc/tomcat8/Catalina/localhost.
- CVE-2016-9774
>From there we can check the USN
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9774.html
Now things make sense:
1. in the past the postinst set 775
-> that could be exploited
2. Xenial got a change that already at build time the permissions are set 775
(fixing the CVE)
3. Bionic (and others) post
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845393
Since then it is 755 and not changed on install.
@Arnaud - the argument in the Debian bug above was that there would be no valid
use case for it to be writable. You seem to be able to describe a valid use
case for it.
Would you mind chiming in on https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=845393 and explaining the use case, maybe
suggesting the fix in xenial
https://git.launchpad.net/ubuntu/+source/tomcat8/tree/debian/rules?h=ubuntu
/xenial-devel#n56 to make it a build time (instead of poisinst) change?
** Bug watch added: Debian Bug tracker #845393
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845393
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-9774
** Changed in: tomcat8 (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820288
Title:
Tomcat Web Application Manager does not copy context configuration
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1820288/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
