Le 22/07/2016 à 23:18, Markus Koschany a écrit : > I would like to go ahead with this solution in unstable. I don't think > that changing the permissions in /etc/tomcat8/policy.d (security > manager) to root:root will have a negative effect, on the contrary. > Those rules should only be modifiable by the system administrator anyway.
Currently the files in /etc/tomcat8/policy.d are owned by root:tomcat8 with 644 permissions. Only the administrator can modify them, so switching to root:root will not change anything. > Regarding /etc/tomcat8/Catalina I couldn't find any information that > indicate a necessity for write access to this directory. It would also > be wrong if a process wrote to /etc because all files in /etc should be > static according to the FHS. The Catalina directory is used to store the context.xml files from the deployed webapps. See: https://tomcat.apache.org/tomcat-8.0-doc/config/context.html#Defining_a_context "Individual Context elements may be explicitly defined: In an individual file at /META-INF/context.xml inside the application files. Optionally (based on the Host's copyXML attribute) this may be copied to $CATALINA_BASE/conf/[enginename]/[hostname]/ and renamed to application's base file name plus a ".xml" extension." I agree this feature isn't FHS compliant but I can't see a better alternative for now. If we were to change that I'd prefer doing it in the new tomcat9 package to avoid disrupting existing installations. > I would also update the Tomcat7 package. Since we are going to remove tomcat7 I don't think it's worth updating it.
