Bug#845393: Pending fixes for bugs in the tomcat8 package

2016-12-02 Thread paul . szabo
ch upgrade). This seems confusing. Would it be worthwhile to handle them both in the same way? Maybe some other things in postinst could get the same treatment. (Simple is easier to keep secure.) Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of M

Bug#845393: Pending fixes for bugs in the tomcat8 package

2016-12-01 Thread paul . szabo
, is there a need to set it writable? Is there a need to have these owned by group tomcat8, could they be left as root:root and world-accessible? Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia

Bug#845393: Pending fixes for bugs in the tomcat8 package

2016-12-01 Thread paul . szabo
from the DEB package, the ownership only to be fixed in postinst? In the current DEB, that directory is not group-writable. Could you kindly explain how this all works. Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics

Bug#845393: Pending fixes for bugs in the tomcat8 package

2016-12-01 Thread paul . szabo
Hmm... I just accused you of being mistaken... but maybe it is I who is wrong. - Now thinking it through again. Cheers, Paul __ This is the maintainer address of Debian's Java team . Please use

Bug#845393: Pending fixes for bugs in the tomcat8 package

2016-12-01 Thread paul . szabo
; > https://anonscm.debian.org/cgit/pkg-java/tomcat8.git/commit/?id=02570d6 > > The script still chmods the Catalina directory but this one can't be > replaced by a symlink. You are mistaken. Please re-read the original bug report. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au h

Bug#845393: marked as done (Privilege escalation via upgrade)

2016-12-01 Thread paul . szabo
reopen 845393 thanks Not done. Please fix proper. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia __ This is the maintainer address of Debian's Java team <h

Bug#845393: Pending fixes for bugs in the tomcat8 package

2016-12-01 Thread paul . szabo
Dear Emmanuel, > No longer make /etc/tomcat8/Catalina/localhost writable ... The bug depends on "Catalina" being writable; the permissions on "localhost" are irrelevant. Please re-open. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.us

Bug#845385: Privilege escalation via removal

2016-11-30 Thread paul . szabo
tice that the Debian bug contraption does not CC me on messages: just being the submitter does not add you to the CC list, you need to explicitly "subscribe". So I missed a number of intermediate messages. --- Markus wrote previously: > ... Besides all tomcat processes are killed on purge

Bug#845385: Privilege escalation via removal

2016-11-22 Thread paul . szabo
rocesses, also. That might be a "good thing": deluser or delgroup might not "work" with left-over, running processes; and might protect against a race. But really... why do you care about leaving some "dangling" useless object, owned by some long-gone UID or GID?

Bug#845393: Privilege escalation via upgrade

2016-11-22 Thread Paul Szabo
her useful attacks might be to make the objects: /root/.Xauthority /etc/ssh/ssh_host_dsa_key world-readable; or make something (already owned by group tomcat8) group-writable (some "policy" setting maybe?). Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/

Bug#845385: Privilege escalation via removal

2016-11-22 Thread Paul Szabo
the world. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-jav

Bug#840685: TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory (was: Re: Bug#840685: tomcat8: DSA-3670 incomplete)

2016-10-14 Thread paul . szabo
eed for DSA. (Sorry about the noise.) Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-b

Bug#840685: tomcat8: DSA-3670 incomplete

2016-10-14 Thread paul . szabo
ymlink, you do the useless "mkdir -p" and you chown; I win. For your test, you took the rm out of your script: you should see /etc being chowned to tomcat8. Please confirm. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and

Bug#840685: tomcat8: DSA-3670 incomplete

2016-10-14 Thread paul . szabo
in less than a day is not very reasonable, > especially when there are things like the time difference between > Australia and Europe. You can do better, if you try. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathemati

Bug#840685: tomcat8: DSA-3670 incomplete

2016-10-14 Thread paul . szabo
whole day... compared to that, Markus replied within the hour to the Debian bug. (But he did not yet reply to my next, private bug/message... seems public messaging works best!) Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics Univers

Bug#840685: tomcat8: DSA-3670 incomplete

2016-10-13 Thread paul . szabo
are appreciated. ... Maybe the security team will understand (recognize, accept) the issue without a PoC. If they reply with such a need, then I will write one. You or they might accept the suggested patch/fix: mkdir without -p, chown with -h. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://