On Wed, 23 Nov 2016 09:35:34 +1100 Paul Szabo <paul.sz...@sydney.edu.au> wrote: > Package: tomcat8 > Version: 8.0.14-1+deb8u4 > Severity: critical > Tags: security > > Having installed tomcat8, the directory /etc/tomcat8/Catalina is set > writable by group tomcat8, as per the postinst script. Then the tomcat8 > user, in the situation envisaged in DSA-3670 and DSA-3720, see also > http://seclists.org/fulldisclosure/2016/Oct/4 > could use something like commands > touch /etc/tomcat8/Catalina/attack > chmod 2747 /etc/tomcat8/Catalina/attack > to create a file: > # ls -l /etc/tomcat8/Catalina/attack > -rwxr-Srwx 1 tomcat8 tomcat8 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack > Then if the tomcat8 package is removed (purged?), the postrm script runs > chown -Rhf root:root /etc/tomcat8/ > and that will leave the file world-writable, setgid root: > # ls -l /etc/tomcat8/Catalina/attack > -rwxr-Srwx 1 root root 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack > allowing "group root" access to the world.
I don't understand why this is a security issue when /etc/tomcat8/Catalina/attack is owned by root:root after the purge and the tomcat8 user doesn't even exist anymore. Markus
signature.asc
Description: OpenPGP digital signature
