Package: tomcat8 Version: 8.0.14-1+deb8u4 Severity: critical Tags: security
Having installed tomcat8, the directory /etc/tomcat8/Catalina is set writable by group tomcat8, as per the postinst script. Then the tomcat8 user, in the situation envisaged in DSA-3670 and DSA-3720, see also http://seclists.org/fulldisclosure/2016/Oct/4 could use something like commands mv -i /etc/tomcat8/Catalina/localhost /etc/tomcat8/Catalina/localhost-OLD ln -s /etc/shadow /etc/tomcat8/Catalina/localhost to create a symlink: # ls -l /etc/tomcat8/Catalina/localhost lrwxrwxrwx 1 tomcat8 tomcat8 11 Nov 23 10:19 /etc/tomcat8/Catalina/localhost -> /etc/shadow Then when the tomcat8 package is upgraded (e.g. for the next DSA), the postinst script runs chmod 775 /etc/tomcat8/Catalina /etc/tomcat8/Catalina/localhost and that will make the /etc/shadow file world-readable (and group-writable). Other useful attacks might be to make the objects: /root/.Xauthority /etc/ssh/ssh_host_dsa_key world-readable; or make something (already owned by group tomcat8) group-writable (some "policy" setting maybe?). Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia