[Bug 557300] Re: tomcat6 package should fully support running as a different user
** Tags added: verification-done ** Tags removed: verification-needed -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
This bug was fixed in the package tomcat6 - 6.0.24-2ubuntu1.1 --- tomcat6 (6.0.24-2ubuntu1.1) lucid-proposed; urgency=low * debian/patches/fix-jsp-regression.patch: Fix regression in JSP compilation that resulted in "Duplicate local variable" errors when using Struts 1.2 or bean:define (LP: #563642) * debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP as defined in /etc/default/tomcat6 when setting directory permissions and authbind configuration (LP: #557300) * debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for permissions in /var/lib/tomcat6, so that group "adm" doesn't get write permissions over /var/lib/tomcat6/webapps (LP: #569118) -- Thierry CarrezFri, 21 May 2010 10:11:35 +0200 ** Changed in: tomcat6 (Ubuntu Lucid) Status: Fix Committed => Fix Released -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
As far as I can tell, this is now working okay. I haven't been able to test a package upgrade, but have tried installing a new package with and without /etc/default/tomcat6 already existing and with/without TOMCAT6_[USER|GROUP] being set and all seems well. If the tomcat6 user and group are customised, the package sets the ownership as requested and also does not create any extra users or groups. The only slight problem is that the group for the log and cache directories is hard-coded to adm and any post-installation changes will be reverted by package updates. I think we can live with this, but we had previously changed this group to be the same as the group for the other directories. It is not possible for a sysadmin to tweak the permissions of directories as these will not be honoured by future package updates (no statoverride checks). I believe this is intentional. -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
@Max: could you enable lucid-proposed and confirm that the problem is satisfactorily fixed in the tomcat6 6.0.24-2ubuntu1.1 package ? Thanks in advance. -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
** Branch linked: lp:ubuntu/tomcat6 -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
This bug was fixed in the package tomcat6 - 6.0.26-2 --- tomcat6 (6.0.26-2) unstable; urgency=low * debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP as defined in /etc/default/tomcat6 when setting directory permissions and authbind configuration (Closes: #581018, LP: #557300) * debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for permissions in /var/lib/tomcat6, so that group "adm" doesn't get write permissions over /var/lib/tomcat6/webapps (LP: #569118) tomcat6 (6.0.26-1) unstable; urgency=low * New upstream version * Apply patch from Mark Scott to fix tomcat6-instance-create which failed when multiple commandline options are provided, fix creation of FULLPATH (Closes: #575580) tomcat6 (6.0.24-5) unstable; urgency=low * Added optimised garbage collection options to tomcat6's default options. Thanks to Aaron J. Zirbes and Thierry Carrez for research and the patch. (Closes: LP: #541520) * Updated the changelog to mention closed CVE's in the 6.0.24-1 release. * Applied patch from Arto Jantunen fixing an issue with cleaning up the pid-file. (Closes: #574084) tomcat6 (6.0.24-4) unstable; urgency=low * debian/tomcat6.postrm: fix removal of Tomcat (Closes: #567548) * Set UTF-8 as default character encoding - Patch by Thomas Koch (Closes: #573539) tomcat6 (6.0.24-3) unstable; urgency=medium * Set the major, minor and build versions when calling Ant (Closes: LP: #495505) * Rebuild with a more recent version of maven-repo-helper which puts the javax jars at the correct location in the Maven repository. Fixes several FTBFS in other packages. -- Thierry CarrezFri, 04 Jun 2010 14:12:22 +0100 ** Changed in: tomcat6 (Ubuntu) Status: Fix Committed => Fix Released -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
** Branch linked: lp:ubuntu/lucid-proposed/tomcat6 -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
Accepted tomcat6 into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance! ** Tags added: verification-needed -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
** Branch linked: lp:debian/sid/tomcat6 -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
** Changed in: tomcat6 (Debian) Status: New => Fix Released -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
** Changed in: tomcat6 (Ubuntu) Status: Triaged => Fix Committed ** Changed in: tomcat6 (Ubuntu Lucid) Status: In Progress => Fix Committed -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
** Description changed: Binary package hint: tomcat6 I run tomcat6 on Ubuntu 8.10, installed from the tomcat6 package. I need to run tomcat as a different user to 'tomcat6' so have configured this via the TOMCAT6_USER variable in /etc/default/tomcat6. I then manually changed the ownership of tomcat's various directories for this to work. This has been fine for over a year and has survived updates to the tomcat6 package. However, this morning I upgraded to 6.0.18-0ubuntu3.3 and afterwards found that tomcat no longer ran. After investigation, I found that the upgrade had chowned and chgrped tomcat's directories to the tomcat6 user/group. This left tomcat unable to run as it couldn't read or write key directories. Looking at the tomcat6 package, this happens in the postinst script, during the configure stage. The same also happens in the current tomcat6 package in Ubuntu 10.04. I would suggest that these chowns/chgrps either be removed, or that they are made aware of the user that tomcat runs as. Could this be done by passing options through debconf? + + == SRU Report == + Impact: + If the user sets TOMCAT6_USER (in /etc/default/tomcat6) to something else than "tomcat6", the system instance will not run. If the user fixes the directory permissions to make it work, those modifications will be lost at the next tomcat6 update. + + Development branch fix: + We are trying to keep sync with Debian, fix was proposed to debian-java SVN and pending release. + + Minimal patch: + See attached in comment + + TEST CASE: + $ sudo apt-get install tomcat6 + $ sudo service tomcat6 stop + Edit /etc/default/tomcat6 and set TOMCAT6_USER=foobar + $ sudo dpkg-reconfigure tomcat6 + Affected version: + Tomcat fails to restart due to user 'fewbar' not found. If you manually create the user, restart still fails on permission denied over various directories. + Fixed version: + Tomcat restarts successfully and works ok. + + Regression potential: + The only thing changing for normal users (those who had TOMCAT6_USER=TOMCAT6_GROUP="tomcat6") is that the group is now created separately from the user. ** Attachment added: "Minimal SRU patch" http://launchpadlibrarian.net/48859377/user-patch -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
** Branch linked: lp:~ttx/tomcat6/lucid-sru -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
** Also affects: tomcat6 (Ubuntu Lucid) Importance: Undecided Status: New ** Changed in: tomcat6 (Ubuntu Lucid) Importance: Undecided => Medium ** Changed in: tomcat6 (Ubuntu Lucid) Status: New => In Progress ** Changed in: tomcat6 (Ubuntu Lucid) Assignee: (unassigned) => Thierry Carrez (ttx) ** Changed in: tomcat6 (Ubuntu) Importance: Wishlist => Medium -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
Yes, I'll go for (2) in Lucid SRU and for (2)+(4) for Maverick (see https://blueprints.launchpad.net/ubuntu/+spec/server-maverick-tomcat for details). Thanks for your input ! -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
It sounds like either 2 or 3 would 'fix' the bug. Solution two strikes me as the simplest from the end-user perspective, and has the added advantage that it would allow future package updates to tweak permissions. -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
** Changed in: tomcat6 (Debian) Status: Unknown => New -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
** Bug watch added: Debian Bug tracker #581018 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581018 ** Also affects: tomcat6 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581018 Importance: Unknown Status: Unknown -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
There are several solutions: 1/ Only set the permissions on original installation (do not modify on upgrades) 2/ Make installation/upgrades look into /etc/default/tomcat6 to get the user name 3/ Make installation/upgrades respect dpkg-statoverride (do not change permissions on upgrades if dpkg-statoverridden) 4/ Preseed the user you want tomcat6 to run under I think we want to keep the possibility to improve permissions on future upgrades, so solution (1) is not good. Solution (4) is technically the best, but it's a new feature so it's too much for a SRU. As far as a Lucid SRU is concerned, solution (2) or (3) are the smallest change (they are not exclusive, btw). Both are slightly inconvenient (one requires the /etc/default/tomcat6 file to be present before install (or not purged from a previous install), while the other requires to run a few dpkg-statoverride/user creation/ authbind configuration commands). But they would survive upgrades perfectly. Let me know if that would be acceptable. NB: I would keep the "tomcat6" group as is. ** Changed in: tomcat6 (Ubuntu) Status: Confirmed => Triaged ** Changed in: tomcat6 (Ubuntu) Assignee: (unassigned) => Thierry Carrez (ttx) -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
** Summary changed: - tomcat6 does not respect dpkg-statoverride settings + tomcat6 package should fully support running as a different user -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
Sorry about that. Confirmed. -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
You are only testing /etc/tomcat6/. This is not in the list of files that the package is modifying. See comment 2 in this bug or the package's postinst script. -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
I just tested this on a fresh Hardy install (tomcat55) and it also does not work: == # dpkg-statoverride --add ubuntu ubuntu 755 /etc/tomcat5.5 # dpkg-statoverride --list ubuntu ubuntu 755 /etc/tomcat5.5 # aptitude install tomcat5.5 # ls -ld /etc/tomcat5.5/ drwxr-x--- 4 tomcat55 adm 4096 2010-04-09 17:23 /etc/tomcat5.5/ == Here is the same with a fresh Intrepid (tomcat6) install: == # dpkg-statoverride --add ubuntu ubuntu 755 /etc/tomcat6 # dpkg-statoverride --list ubuntu ubuntu 755 /etc/tomcat6 # apt-cache madison tomcat6 tomcat6 | 6.0.18-0ubuntu3.3 | http://archive.ubuntu.com intrepid-updates/main Packages tomcat6 | 6.0.18-0ubuntu3.3 | http://security.ubuntu.com intrepid-security/main Packages tomcat6 | 6.0.18-0ubuntu3 | http://archive.ubuntu.com intrepid/main Packages # aptitude install tomcat6=6.0.18-0ubuntu3 # ls -ld /etc/tomcat6/ drwxr-xr-x 3 ubuntu ubuntu 4096 2010-04-09 17:43 /etc/tomcat6/ == Then, still on Intrepid: == # aptitude purge tomcat6 # dpkg-statoverride --list ubuntu ubuntu 755 /etc/tomcat6 # aptitude install tomcat6=6.0.18-0ubuntu3.3 # ls -ld /etc/tomcat6/ drwxr-xr-x 4 ubuntu ubuntu 4096 2010-04-09 18:04 /etc/tomcat6/ == So I'm not sure how to interpret this. Anyone? -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557300] Re: tomcat6 package should fully support running as a different user
I agree with that statement. The current version of tomcat6 correctly supports two modes of operation: running as a system instance as the "tomcat6" user (package "tomcat6") or running as a private instance under the user of your choice (package "tomcat6-user", then use tomcat6 -instance-create). Changing that TOMCAT6_USER line will make it run as another user, but it will most likely fail to work properly without additional changes. ** Summary changed: - tomcat6 package should respect dpkg-statoverride (support running as a different user) + tomcat6 package should fully support running as a different user -- tomcat6 package should fully support running as a different user https://bugs.launchpad.net/bugs/557300 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs