Bug#926338: tomcat9: tomcat user's home folder is '/'

2020-09-24 Thread Emmanuel Bourg 
On 21/09/2020 20:20, David Magda wrote:

> Tomcat is operating at two levels: the operating system and the
> application.
> 
> Using "-Duser.home" is useful for telling the application itself where
> to look for things, but less so for doing some operations at the OS layer.
> 
> One example is for CI/CD infrastructure: if someone wants to use (say)
> Jenkins to deploy WAR files as they update code, and want to use SSH
> keys for getting into front-end Tomcat systems, where would they put the
> authorized_keys(5) file?
> 
> SSHd looks for it in "${HOME}/.ssh/" by default, which would mean "/.ssh/".

That's a good point. Maybe we could use /var/lib/tomcat as the home
directory then.

Emmanuel Bourg

Bug#926338: tomcat9: tomcat user's home folder is '/'

2020-09-21 Thread David Magda 

On Sun, 2 Jun 2019 23:29:51 +0200, Emmanuel Bourg wrote:


I admit using / as home directory isn't perfect, but I fail to see how
this can be considered insecure.

What about setting the -Duser.home JVM parameter when Tomcat is started
instead of changing the system user home?


Tomcat is operating at two levels: the operating system and the application.

Using "-Duser.home" is useful for telling the application itself where 
to look for things, but less so for doing some operations at the OS layer.


One example is for CI/CD infrastructure: if someone wants to use (say) 
Jenkins to deploy WAR files as they update code, and want to use SSH 
keys for getting into front-end Tomcat systems, where would they put the 
authorized_keys(5) file?


SSHd looks for it in "${HOME}/.ssh/" by default, which would mean "/.ssh/".

So where would one put it? Should the passwd(5) file simply be edited 
manually after installation?

Bug#926338: tomcat9: tomcat user's home folder is '/'

2019-06-02 Thread Emmanuel Bourg 
Le 03/04/2019 à 18:40, Alex a écrit :

> A problem begins when some of Tomcat's webapps are trying to access $HOME for 
> writing. That's completely another question about _why_ they want to write to 
> $HOME. But the whole idea having `/` as home dir is definitely insecure.

The previous tomcat8 package created a 'tomcat8' user with
/var/libtomcat8/ as its home directory. /var/libtomcat8/ was chmod 755
root:root, so if I'm not mistaken tomcat8 couldn't write to its home
directory either.

The new tomcat9 package now creates a generic 'tomcat' user with no
version in the name. It's no longer possible to use /var/lib/tomcat9 as
home directory, that would be problematic when the tomcat9 package is
replaced by tomcat10.

I admit using / as home directory isn't perfect, but I fail to see how
this can be considered insecure.

What about setting the -Duser.home JVM parameter when Tomcat is started
instead of changing the system user home?

Emmanuel Bourg

Bug#926338: tomcat9: tomcat user's home folder is '/'

2019-04-03 Thread Alex 
Package: tomcat9
Version: 9.0.16-1~bpo9+1
Severity: important
Tags: d-i

Dear Maintainer,

With default `tomcat9` installation a system user is created as per the
following instructions:

# Create the tomcat user as defined in /usr/lib/sysusers.d/tomcat9.conf
systemd-sysusers


/usr/lib/sysusers.d/tomcat9.conf:
#Type Name ID GECOS Home directory Shell
u tomcat   -  "Apache Tomcat"   -  /usr/sbin/nologin


Which results in `/` (root folder) as a home dir
grep tomcat /etc/passwd | awk -F: '{ print $6}'
/

A problem begins when some of Tomcat's webapps are trying to access $HOME for 
writing. That's completely another question about _why_ they want to write to 
$HOME. But the whole idea having `/` as home dir is definitely insecure.


-- System Information:
Debian Release: 9.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-0.bpo.2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages tomcat9 depends on:
ii  lsb-base9.20161125
ii  systemd 241-1~bpo9+1
ii  tomcat9-common  9.0.16-1~bpo9+1
ii  ucf 3.0036

Versions of packages tomcat9 recommends:
ii  libtcnative-1  1.2.21-1~bpo9+1

Versions of packages tomcat9 suggests:
ii  tomcat9-admin 9.0.16-1~bpo9+1
pn  tomcat9-docs  
pn  tomcat9-examples  
ii  tomcat9-user  9.0.16-1~bpo9+1

-- no debconf information