Bug#585379: tomcat6: tomcat fails to start using a security manager

Wed, 09 Jun 2010 15:51:21 -0700 

Package: tomcat6
Version: 6.0.24-2
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu maverick ubuntu-patch


Using tomcat6 package version 6.0.24-2ubuntu, after editing 
/etc/default/tomcat6 to set TOMCAT6_SECURITY=yes, Tomcat breaks on startup with 
(in catalina.out):

Using CATALINA_BASE: /var/lib/tomcat6
Using CATALINA_HOME: /usr/share/tomcat6
Using CATALINA_TMPDIR: /tmp/tomcat6-tmp
Using JRE_HOME: /usr/lib/jvm/java-6-openjdk
Using CLASSPATH: /usr/share/tomcat6/bin/bootstrap.jar
Using Security Manager
Exception in thread "main" java.lang.ExceptionInInitializerError
        at org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:171)
        at org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:243)
        at org.apache.juli.logging.LogFactory.getLog(LogFactory.java:298)
        at org.apache.catalina.startup.Bootstrap.<clinit>(Bootstrap.java:55)
Caused by: java.security.AccessControlException: access denied 
(java.util.PropertyPermission java.util.logging.config.class read)
        at 
java.security.AccessControlContext.checkPermission(AccessControlContext.java:342)
        at 
java.security.AccessController.checkPermission(AccessController.java:553)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at 
java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1302)
        at java.lang.System.getProperty(System.java:669)
        at org.apache.juli.logging.DirectJDKLog.<clinit>(DirectJDKLog.java:43)
        ... 4 more
Could not find the main class: org.apache.catalina.startup.Bootstrap. Program 
will exit.

The problem is that -Djava.security.policy is being set twice, firstly in 
/etc/init.d/tomcat6 to $CATALINA_BASE/work/catalina.policy (correct), secondly 
in /usr/share/tomcat6/bin/catalina.sh to $CATALINA_BASE/conf/catalina.policy 
(an invalid path). Unfortunately the second takes precedence, and so no policy 
file is actually used.

To fix this, I suggest patching catalina.sh to change 'conf/catalina.policy' 
references to 'work/catalina.policy'. It would also be good to remove the 
explicit setting of -Djava.security.manager and -Djava.security.policy from the 
init.d script, since it is done anyway in the init script. I've attached two 
patches for this.

Originally reported in Ubuntu by Jeff Turner, and tracked at 
https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/591802


*** /tmp/tmpgCS3jR
In Ubuntu, we've applied the attached patch to achieve the following:

  * Fixing failure to start with security manager enable (Closes: LP: #591802) 
    Thanks to Jeff Turner for patches

We thought you might be interested in doing the same. 


-- System Information:
Debian Release: squeeze/sid
  APT prefers lucid-updates
  APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-22-generic (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru tomcat6-6.0.24/debian/changelog tomcat6-6.0.24/debian/changelog
diff -Nru tomcat6-6.0.24/debian/patches/debian-changes-6.0.24-2ubuntu2 tomcat6-6.0.24/debian/patches/debian-changes-6.0.24-2ubuntu2
--- tomcat6-6.0.24/debian/patches/debian-changes-6.0.24-2ubuntu2	1970-01-01 01:00:00.000000000 +0100
+++ tomcat6-6.0.24/debian/patches/debian-changes-6.0.24-2ubuntu2	2010-06-09 23:12:45.000000000 +0100
@@ -0,0 +1,55 @@
+Description: Upstream changes introduced in version 6.0.24-2ubuntu2
+ This patch has been created by dpkg-source during the package build.
+ Here's the last changelog entry, hopefully it gives details on why
+ those changes were made:
+ .
+ tomcat6 (6.0.24-2ubuntu2) lucid; urgency=low
+ .
+   * Fixing failure to start with security manager enable (Closes: LP: #591802)
+     Thanks to Jeff Turner for patches
+ .
+ The person named in the Author field signed this changelog entry.
+Author: Adam Guthrie <asguth...@gmail.com>
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/591802
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- tomcat6-6.0.24.orig/bin/catalina.sh
++++ tomcat6-6.0.24/bin/catalina.sh
+@@ -261,7 +261,7 @@ if [ "$1" = "debug" ] ; then
+         -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \
+         -sourcepath "$CATALINA_HOME"/../../java \
+         -Djava.security.manager \
+-        -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \
++        -Djava.security.policy=="$CATALINA_BASE"/work/catalina.policy \
+         -Dcatalina.base="$CATALINA_BASE" \
+         -Dcatalina.home="$CATALINA_HOME" \
+         -Djava.io.tmpdir="$CATALINA_TMPDIR" \
+@@ -288,7 +288,7 @@ elif [ "$1" = "run" ]; then
+     exec "$_RUNJAVA" "$LOGGING_CONFIG" $JAVA_OPTS $CATALINA_OPTS \
+       -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \
+       -Djava.security.manager \
+-      -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \
++      -Djava.security.policy=="$CATALINA_BASE"/work/catalina.policy \
+       -Dcatalina.base="$CATALINA_BASE" \
+       -Dcatalina.home="$CATALINA_HOME" \
+       -Djava.io.tmpdir="$CATALINA_TMPDIR" \
+@@ -321,7 +321,7 @@ elif [ "$1" = "start" ] ; then
+     "$_RUNJAVA" "$LOGGING_CONFIG" $JAVA_OPTS $CATALINA_OPTS \
+       -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \
+       -Djava.security.manager \
+-      -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \
++      -Djava.security.policy=="$CATALINA_BASE"/work/catalina.policy \
+       -Dcatalina.base="$CATALINA_BASE" \
+       -Dcatalina.home="$CATALINA_HOME" \
+       -Djava.io.tmpdir="$CATALINA_TMPDIR" \
diff -Nru tomcat6-6.0.24/debian/patches/series tomcat6-6.0.24/debian/patches/series
--- tomcat6-6.0.24/debian/patches/series	2010-03-25 10:22:10.000000000 +0000
+++ tomcat6-6.0.24/debian/patches/series	2010-06-09 23:02:06.000000000 +0100
@@ -7,3 +7,4 @@
 servlet-api-OSGi.patch
 jsp-api-OSGi.patch
 allow-empty-pid-file.patch
+debian-changes-6.0.24-2ubuntu2
diff -Nru tomcat6-6.0.24/debian/tomcat6.init tomcat6-6.0.24/debian/tomcat6.init
--- tomcat6-6.0.24/debian/tomcat6.init	2010-03-25 22:12:33.000000000 +0000
+++ tomcat6-6.0.24/debian/tomcat6.init	2010-06-09 22:37:23.000000000 +0100
@@ -107,7 +107,6 @@
 
 SECURITY=""
 if [ "$TOMCAT6_SECURITY" = "yes" ]; then
-	JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy=\"$POLICY_CACHE\""
 	SECURITY="-security"
 fi

Reply via email to