This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch jessie in repository tomcat8.
commit bd3d6240c544f86e7d30cce6fd38d911f4ef5050 Author: Markus Koschany <[email protected]> Date: Thu Aug 11 22:33:07 2016 +0200 Do not unconditionally overwrite files in /etc/tomcat8 anymore. Closes: #825786 --- debian/changelog | 2 ++ debian/tomcat8.postinst | 21 +++++++++++++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index d67d3c2..cd1e563 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,8 @@ tomcat8 (8.0.14-1+deb8u3) jessie-security; urgency=medium * Team upload. * tomcat8.init: Protect /var/lib/tomcat8/catalina.out against a symlink attack and possible root privilege escalation. + * Do not unconditionally overwrite files in /etc/tomcat8 anymore. + (Closes: #825786) -- Markus Koschany <[email protected]> Thu, 11 Aug 2016 22:19:27 +0200 diff --git a/debian/tomcat8.postinst b/debian/tomcat8.postinst index c180c3c..f55ed3b 100644 --- a/debian/tomcat8.postinst +++ b/debian/tomcat8.postinst @@ -48,8 +48,25 @@ case "$1" in # configuration files should not be modifiable by tomcat8 user, as this can be a security issue # (an attacker may insert code in a webapp and have access to all tomcat configuration) # but those files should be readable by tomcat8, so we set the group to tomcat8 - chown -Rh root:$TOMCAT8_GROUP /etc/tomcat8/* - chmod 640 /etc/tomcat8/tomcat-users.xml + for i in tomcat-users.xml web.xml server.xml logging.properties context.xml catalina.properties; + do + if [ -f "/etc/tomcat8/$i" ]; then + chown root:$TOMCAT8_GROUP /etc/tomcat8/$i + chmod 644 /etc/tomcat8/$i + fi + done + # configuration policy files should not be modifiable by the tomcat8 user. Only + # diverge from default permissions for known Debian files + chown root:$TOMCAT8_GROUP /etc/tomcat8/policy.d + for i in 01system.policy 02debian.policy 03catalina.policy 04webapps.policy 50local.policy; + do + if [ -f "/etc/tomcat8/policy.d/$i" ]; then + chown root:$TOMCAT8_GROUP /etc/tomcat8/policy.d/$i + chmod 644 /etc/tomcat8/policy.d/$i + fi + done + chown -Rh root:$TOMCAT8_GROUP /etc/tomcat8/Catalina + chown -Rh $TOMCAT8_USER:$TOMCAT8_GROUP /var/lib/tomcat8/webapps /var/lib/tomcat8/lib chmod 775 /var/lib/tomcat8/webapps chmod 775 /etc/tomcat8/Catalina /etc/tomcat8/Catalina/localhost -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
