Bug#926338: tomcat9: tomcat user's home folder is '/'
On 21/09/2020 20:20, David Magda wrote: > Tomcat is operating at two levels: the operating system and the > application. > > Using "-Duser.home" is useful for telling the application itself where > to look for things, but less so for doing some operations at the OS layer. > > One example is for CI/CD infrastructure: if someone wants to use (say) > Jenkins to deploy WAR files as they update code, and want to use SSH > keys for getting into front-end Tomcat systems, where would they put the > authorized_keys(5) file? > > SSHd looks for it in "${HOME}/.ssh/" by default, which would mean "/.ssh/". That's a good point. Maybe we could use /var/lib/tomcat as the home directory then. Emmanuel Bourg
Bug#926338: tomcat9: tomcat user's home folder is '/'
On Sun, 2 Jun 2019 23:29:51 +0200, Emmanuel Bourg wrote: I admit using / as home directory isn't perfect, but I fail to see how this can be considered insecure. What about setting the -Duser.home JVM parameter when Tomcat is started instead of changing the system user home? Tomcat is operating at two levels: the operating system and the application. Using "-Duser.home" is useful for telling the application itself where to look for things, but less so for doing some operations at the OS layer. One example is for CI/CD infrastructure: if someone wants to use (say) Jenkins to deploy WAR files as they update code, and want to use SSH keys for getting into front-end Tomcat systems, where would they put the authorized_keys(5) file? SSHd looks for it in "${HOME}/.ssh/" by default, which would mean "/.ssh/". So where would one put it? Should the passwd(5) file simply be edited manually after installation?
Bug#926338: tomcat9: tomcat user's home folder is '/'
Le 03/04/2019 à 18:40, Alex a écrit : > A problem begins when some of Tomcat's webapps are trying to access $HOME for > writing. That's completely another question about _why_ they want to write to > $HOME. But the whole idea having `/` as home dir is definitely insecure. The previous tomcat8 package created a 'tomcat8' user with /var/libtomcat8/ as its home directory. /var/libtomcat8/ was chmod 755 root:root, so if I'm not mistaken tomcat8 couldn't write to its home directory either. The new tomcat9 package now creates a generic 'tomcat' user with no version in the name. It's no longer possible to use /var/lib/tomcat9 as home directory, that would be problematic when the tomcat9 package is replaced by tomcat10. I admit using / as home directory isn't perfect, but I fail to see how this can be considered insecure. What about setting the -Duser.home JVM parameter when Tomcat is started instead of changing the system user home? Emmanuel Bourg
Bug#926338: tomcat9: tomcat user's home folder is '/'
Package: tomcat9 Version: 9.0.16-1~bpo9+1 Severity: important Tags: d-i Dear Maintainer, With default `tomcat9` installation a system user is created as per the following instructions: # Create the tomcat user as defined in /usr/lib/sysusers.d/tomcat9.conf systemd-sysusers /usr/lib/sysusers.d/tomcat9.conf: #Type Name ID GECOS Home directory Shell u tomcat - "Apache Tomcat" - /usr/sbin/nologin Which results in `/` (root folder) as a home dir grep tomcat /etc/passwd | awk -F: '{ print $6}' / A problem begins when some of Tomcat's webapps are trying to access $HOME for writing. That's completely another question about _why_ they want to write to $HOME. But the whole idea having `/` as home dir is definitely insecure. -- System Information: Debian Release: 9.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-0.bpo.2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages tomcat9 depends on: ii lsb-base9.20161125 ii systemd 241-1~bpo9+1 ii tomcat9-common 9.0.16-1~bpo9+1 ii ucf 3.0036 Versions of packages tomcat9 recommends: ii libtcnative-1 1.2.21-1~bpo9+1 Versions of packages tomcat9 suggests: ii tomcat9-admin 9.0.16-1~bpo9+1 pn tomcat9-docs pn tomcat9-examples ii tomcat9-user 9.0.16-1~bpo9+1 -- no debconf information