On Sun, 29 May 2016 23:46:15 +0200 Markus Koschany <a...@debian.org> wrote: > clone 821391 -1 > reassign -1 src:tomcat8 > retitle -1 tomcat8: postinst script overwrites file permissions in /etc > thanks > > This bug also affects Tomcat 8. > > > I have prepared another security update and I intend to change the > current behavior in Jessie and Sid for new installations to avoid > similar breakage when upgrading Tomcat 8. > > Currently tomcat8.postinst changes file ownership of all files in > /etc/tomcat8 to root:tomcat8. I think this isn't necessary because the > default is to use root:root (rw-r-r) which ensures that all > configuration files can still be read by Tomcat8. The only security > relevant file is /etc/tomcat8/tomcat-users.xml in the default Debian > configuration. I propose to modify only this one by changing the line > > chown -Rh root:$TOMCAT8_GROUP /etc/tomcat8/* > > to > > chown root:$TOMCAT8_GROUP /etc/tomcat8/tomcat-users.xml > > > This should address the issue.
I would like to go ahead with this solution in unstable. I don't think that changing the permissions in /etc/tomcat8/policy.d (security manager) to root:root will have a negative effect, on the contrary. Those rules should only be modifiable by the system administrator anyway. Regarding /etc/tomcat8/Catalina I couldn't find any information that indicate a necessity for write access to this directory. It would also be wrong if a process wrote to /etc because all files in /etc should be static according to the FHS. I would also update the Tomcat7 package. Markus
signature.asc
Description: OpenPGP digital signature
