tomcat6 package should fully support running as a different user

Bug #557300 reported by Max on 2010-04-07
24
This bug affects 3 people
Affects Status Importance Assigned to Milestone
tomcat6 (Debian)
Fix Released
Unknown
tomcat6 (Ubuntu)
Medium
Thierry Carrez
Lucid
Medium
Thierry Carrez

Bug Description

Binary package hint: tomcat6

I run tomcat6 on Ubuntu 8.10, installed from the tomcat6 package. I need to run tomcat as a different user to 'tomcat6' so have configured this via the TOMCAT6_USER variable in /etc/default/tomcat6. I then manually changed the ownership of tomcat's various directories for this to work. This has been fine for over a year and has survived updates to the tomcat6 package. However, this morning I upgraded to 6.0.18-0ubuntu3.3 and afterwards found that tomcat no longer ran. After investigation, I found that the upgrade had chowned and chgrped tomcat's directories to the tomcat6 user/group. This left tomcat unable to run as it couldn't read or write key directories.

Looking at the tomcat6 package, this happens in the postinst script, during the configure stage. The same also happens in the current tomcat6 package in Ubuntu 10.04. I would suggest that these chowns/chgrps either be removed, or that they are made aware of the user that tomcat runs as. Could this be done by passing options through debconf?

== SRU Report ==
Impact:
If the user sets TOMCAT6_USER (in /etc/default/tomcat6) to something else than "tomcat6", the system instance will not run. If the user fixes the directory permissions to make it work, those modifications will be lost at the next tomcat6 update.

Development branch fix:
We are trying to keep sync with Debian, fix was proposed to debian-java SVN and pending release.

Minimal patch:
See attached in comment

TEST CASE:
$ sudo apt-get install tomcat6
$ sudo service tomcat6 stop
Edit /etc/default/tomcat6 and set TOMCAT6_USER=foobar
$ sudo dpkg-reconfigure tomcat6
Affected version:
Tomcat fails to restart due to user 'fewbar' not found. If you manually create the user, restart still fails on permission denied over various directories.
Fixed version:
Tomcat restarts successfully and works ok.

Regression potential:
The only thing changing for normal users (those who had TOMCAT6_USER=TOMCAT6_GROUP="tomcat6") is that the group is now created separately from the user.

Thierry Carrez (ttx) wrote :

The proper way to do this kind of permissions change in a way that persists future package upgrades is to override permissions through "dpkg-statoverride". The tomcat6 package is thought to honor such overrides properly, please reopen the bug if you still have issues when using the debian way to do what you want.

Changed in tomcat6 (Ubuntu):
status: New → Invalid
Max (mjs510) on 2010-04-08
Changed in tomcat6 (Ubuntu):
status: Invalid → New
Max (mjs510) wrote :

I've just added the following stat overrides on a system that had not yet upgraded to the latest tomcat6 package:

dpkg-statoverride --add cms cms 750 /var/log/tomcat6/
dpkg-statoverride --add cms cms 755 /var/lib/tomcat6/temp/
dpkg-statoverride --add cms cms 750 /var/cache/tomcat6
dpkg-statoverride --add root cms 775 /etc/tomcat6/Catalina
dpkg-statoverride --add root cms 775 /etc/tomcat6/Catalina/localhost
dpkg-statoverride --add root cms 775 /var/lib/tomcat6/webapps

I then ran a dist-upgrade. After the upgrade, the directories listed above had all had their user and or group changed as follows:

root@host:/var/lib/tomcat6# ls -ld /var/log/tomcat6/
drwxr-x--- 2 tomcat6 adm 4096 2010-04-08 09:47 /var/log/tomcat6/
root@host:/var/lib/tomcat6# ls -ld /var/lib/tomcat6/temp/
drwxr-xr-x 2 tomcat6 cms 4096 2009-12-21 15:11 /var/lib/tomcat6/temp/
root@host:/var/lib/tomcat6# ls -ld /var/cache/tomcat6
drwxr-x--- 2 tomcat6 adm 4096 2010-04-08 10:37 /var/cache/tomcat6
root@host:/var/lib/tomcat6# ls -ld /etc/tomcat6/Catalina
drwxrwxr-x 3 root tomcat6 4096 2009-10-12 09:27 /etc/tomcat6/Catalina
root@host:/var/lib/tomcat6# ls -ld /etc/tomcat6/Catalina/localhost
drwxrwxr-x 2 root tomcat6 4096 2010-04-08 10:37 /etc/tomcat6/Catalina/localhost
root@host:/var/lib/tomcat6# ls -ld /var/lib/tomcat6/webapps
drwxrwxr-x 4 root tomcat6 4096 2009-12-18 09:36 /var/lib/tomcat6/webapps

Before the upgrade, the permissions and ownership of the directories matched those specified in the statoverrides.

The postinst scripts for tomcat6_6.0.18-0ubuntu3.3_all.deb and tomcat6_6.0.24-2ubuntu1_all.deb both contain chowns and chmods like the following (from 6.0.18):

 chown -R tomcat6:adm /var/log/tomcat6 /var/cache/tomcat6
 chmod 750 /var/log/tomcat6 /var/cache/tomcat6
 chgrp tomcat6 /etc/tomcat6/tomcat-users.xml
 chmod 640 /etc/tomcat6/tomcat-users.xml
 chown tomcat6 /var/lib/tomcat6/temp
 chgrp tomcat6 /var/lib/tomcat6/webapps
 chmod 775 /var/lib/tomcat6/webapps
 chgrp tomcat6 /etc/tomcat6/Catalina /etc/tomcat6/Catalina/localhost
 chmod 775 /etc/tomcat6/Catalina /etc/tomcat6/Catalina/localhost

I don't know much about dpkg, but these certainly seem to be hardcoded to the tomcat6 and adm groups.

Thierry Carrez (ttx) on 2010-04-08
summary: - tomcat6 package changes ownership of directories
+ tomcat6 package should respect dpkg-statoverride
Changed in tomcat6 (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
summary: - tomcat6 package should respect dpkg-statoverride
+ tomcat6 package should respect dpkg-statoverride (support running as a
+ different user)

Looking at the version of the tomcat6 package in 10.04, there are several other instances where the user is hard-coded to tomcat6, e.g. in the creation of the tomcat6 user itself, and the set-up of authbind. This therefore requires more than just respecting dpkg-statoverride. I think it would need the ability to configure a user that tomcat should run as using debconf-set-selections so this could be set before installing the package.

The default version of /etc/default/tomcat6 installed by the tomcat6 package contains this as its first line:

# Run Tomcat as this user ID. Not setting this or leaving it blank will use the
# default of tomcat6.
#TOMCAT6_USER=tomcat6

Given the current broken state of the tomcat6 package, this line is at best extremely misleading.

Thierry Carrez (ttx) wrote :

I agree with that statement. The current version of tomcat6 correctly supports two modes of operation: running as a system instance as the "tomcat6" user (package "tomcat6") or running as a private instance under the user of your choice (package "tomcat6-user", then use tomcat6-instance-create).

Changing that TOMCAT6_USER line will make it run as another user, but it will most likely fail to work properly without additional changes.

summary: - tomcat6 package should respect dpkg-statoverride (support running as a
- different user)
+ tomcat6 package should fully support running as a different user
Peter Matulis (petermatulis) wrote :

I just tested this on a fresh Hardy install (tomcat55) and it also does not work:

==========
# dpkg-statoverride --add ubuntu ubuntu 755 /etc/tomcat5.5

# dpkg-statoverride --list
ubuntu ubuntu 755 /etc/tomcat5.5

# aptitude install tomcat5.5

# ls -ld /etc/tomcat5.5/
drwxr-x--- 4 tomcat55 adm 4096 2010-04-09 17:23 /etc/tomcat5.5/
==========

Here is the same with a fresh Intrepid (tomcat6) install:

==========
# dpkg-statoverride --add ubuntu ubuntu 755 /etc/tomcat6

# dpkg-statoverride --list
ubuntu ubuntu 755 /etc/tomcat6

# apt-cache madison tomcat6
   tomcat6 | 6.0.18-0ubuntu3.3 | http://archive.ubuntu.com intrepid-updates/main Packages
   tomcat6 | 6.0.18-0ubuntu3.3 | http://security.ubuntu.com intrepid-security/main Packages
   tomcat6 | 6.0.18-0ubuntu3 | http://archive.ubuntu.com intrepid/main Packages

# aptitude install tomcat6=6.0.18-0ubuntu3

# ls -ld /etc/tomcat6/
drwxr-xr-x 3 ubuntu ubuntu 4096 2010-04-09 17:43 /etc/tomcat6/
==========

Then, still on Intrepid:

==========
# aptitude purge tomcat6

# dpkg-statoverride --list
ubuntu ubuntu 755 /etc/tomcat6

# aptitude install tomcat6=6.0.18-0ubuntu3.3

# ls -ld /etc/tomcat6/
drwxr-xr-x 4 ubuntu ubuntu 4096 2010-04-09 18:04 /etc/tomcat6/
==========

So I'm not sure how to interpret this. Anyone?

Max (mjs510) wrote :

You are only testing /etc/tomcat6/. This is not in the list of files that the package is modifying. See comment 2 in this bug or the package's postinst script.

Peter Matulis (petermatulis) wrote :

Sorry about that. Confirmed.

summary: - tomcat6 package should fully support running as a different user
+ tomcat6 does not respect dpkg-statoverride settings

Why the change in subject? I believe the original, as edited by Thierry Carrez is correct. The problem is more than just the fact that tomcat6 does not respect statoverrides. See comments 3, 4 & 5.

summary: - tomcat6 does not respect dpkg-statoverride settings
+ tomcat6 package should fully support running as a different user
Thierry Carrez (ttx) wrote :

There are several solutions:

1/ Only set the permissions on original installation (do not modify on upgrades)
2/ Make installation/upgrades look into /etc/default/tomcat6 to get the user name
3/ Make installation/upgrades respect dpkg-statoverride (do not change permissions on upgrades if dpkg-statoverridden)
4/ Preseed the user you want tomcat6 to run under

I think we want to keep the possibility to improve permissions on future upgrades, so solution (1) is not good. Solution (4) is technically the best, but it's a new feature so it's too much for a SRU.

As far as a Lucid SRU is concerned, solution (2) or (3) are the smallest change (they are not exclusive, btw). Both are slightly inconvenient (one requires the /etc/default/tomcat6 file to be present before install (or not purged from a previous install), while the other requires to run a few dpkg-statoverride/user creation/ authbind configuration commands). But they would survive upgrades perfectly. Let me know if that would be acceptable.

NB: I would keep the "tomcat6" group as is.

Changed in tomcat6 (Ubuntu):
assignee: nobody → Thierry Carrez (ttx)
status: Confirmed → Triaged
Changed in tomcat6 (Debian):
status: Unknown → New
Max (mjs510) wrote :

It sounds like either 2 or 3 would 'fix' the bug. Solution two strikes me as the simplest from the end-user perspective, and has the added advantage that it would allow future package updates to tweak permissions.

Thierry Carrez (ttx) wrote :

Yes, I'll go for (2) in Lucid SRU and for (2)+(4) for Maverick (see https://blueprints.launchpad.net/ubuntu/+spec/server-maverick-tomcat for details). Thanks for your input !

Thierry Carrez (ttx) on 2010-05-21
Changed in tomcat6 (Ubuntu Lucid):
assignee: nobody → Thierry Carrez (ttx)
importance: Undecided → Medium
status: New → In Progress
Changed in tomcat6 (Ubuntu):
importance: Wishlist → Medium
Thierry Carrez (ttx) wrote :
description: updated
Thierry Carrez (ttx) on 2010-05-21
Changed in tomcat6 (Ubuntu):
status: Triaged → Fix Committed
Changed in tomcat6 (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in tomcat6 (Debian):
status: New → Fix Released

Accepted tomcat6 into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.26-2

---------------
tomcat6 (6.0.26-2) unstable; urgency=low

  * debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP
    as defined in /etc/default/tomcat6 when setting directory permissions and
    authbind configuration (Closes: #581018, LP: #557300)
  * debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for
    permissions in /var/lib/tomcat6, so that group "adm" doesn't get write
    permissions over /var/lib/tomcat6/webapps (LP: #569118)

tomcat6 (6.0.26-1) unstable; urgency=low

  * New upstream version
  * Apply patch from Mark Scott to fix
    tomcat6-instance-create which failed when multiple commandline
    options are provided, fix creation of FULLPATH (Closes: #575580)

tomcat6 (6.0.24-5) unstable; urgency=low

  * Added optimised garbage collection options to tomcat6's default options.
    Thanks to Aaron J. Zirbes and Thierry Carrez for research and the patch.
    (Closes: LP: #541520)
  * Updated the changelog to mention closed CVE's in the 6.0.24-1 release.
  * Applied patch from Arto Jantunen fixing an issue with cleaning up the
    pid-file. (Closes: #574084)

tomcat6 (6.0.24-4) unstable; urgency=low

  * debian/tomcat6.postrm: fix removal of Tomcat (Closes: #567548)
  * Set UTF-8 as default character encoding - Patch by Thomas Koch
    (Closes: #573539)

tomcat6 (6.0.24-3) unstable; urgency=medium

  * Set the major, minor and build versions when calling Ant
    (Closes: LP: #495505)
  * Rebuild with a more recent version of maven-repo-helper which puts
    the javax jars at the correct location in the Maven repository.
    Fixes several FTBFS in other packages.
 -- Thierry Carrez <email address hidden> Fri, 04 Jun 2010 14:12:22 +0100

Changed in tomcat6 (Ubuntu):
status: Fix Committed → Fix Released
Thierry Carrez (ttx) wrote :

@Max: could you enable lucid-proposed and confirm that the problem is satisfactorily fixed in the tomcat6 6.0.24-2ubuntu1.1 package ? Thanks in advance.

Max (mjs510) wrote :

As far as I can tell, this is now working okay. I haven't been able to test a package upgrade, but have tried installing a new package with and without /etc/default/tomcat6 already existing and with/without TOMCAT6_[USER|GROUP] being set and all seems well. If the tomcat6 user and group are customised, the package sets the ownership as requested and also does not create any extra users or groups.

The only slight problem is that the group for the log and cache directories is hard-coded to adm and any post-installation changes will be reverted by package updates. I think we can live with this, but we had previously changed this group to be the same as the group for the other directories.

It is not possible for a sysadmin to tweak the permissions of directories as these will not be honoured by future package updates (no statoverride checks). I believe this is intentional.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.24-2ubuntu1.1

---------------
tomcat6 (6.0.24-2ubuntu1.1) lucid-proposed; urgency=low

  * debian/patches/fix-jsp-regression.patch: Fix regression in JSP compilation
    that resulted in "Duplicate local variable" errors when using Struts 1.2
    or bean:define (LP: #563642)
  * debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP
    as defined in /etc/default/tomcat6 when setting directory permissions and
    authbind configuration (LP: #557300)
  * debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for
    permissions in /var/lib/tomcat6, so that group "adm" doesn't get write
    permissions over /var/lib/tomcat6/webapps (LP: #569118)
 -- Thierry Carrez <email address hidden> Fri, 21 May 2010 10:11:35 +0200

Changed in tomcat6 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Martin Pitt (pitti) on 2010-06-15
tags: added: verification-done
removed: verification-needed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.