improper group write permission for /var/lib/tomcat6/webapps

Bug #569118 reported by Jamie Strandboge on 2010-04-23
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tomcat6 (Ubuntu)
Low
Unassigned
Lucid
Low
Thierry Carrez

Bug Description

Binary package hint: tomcat6

On fresh Ubuntu 10.04 LTS install of tomcat6 6.0.24-2ubuntu1, the /var/lib/tomcat6/webapps has the following permissions:
/var/lib/tomcat6/webapps drwxrwxr-x tomcat6 adm

'adm' seems like on odd default choice of group here, since typically people in the adm are allowed to read log files. The following command demonstrates this:
$ sudo find / -group adm -ls

I suggested fix is to change the group to 'tomcat6', since the directory already has 'r-x' for 'other'.

This is not release critical for Lucid, but should be fixed nevertheless.

== SRU Report ==
Impact:
Members of the adm group can modify and deploy tomcat6 webapps. This group is not a tomcat6 admin group, it's a log files reading group.

Development branch fix:
We are trying to keep sync with Debian, fix was proposed to debian-java SVN and pending release.

Minimal patch:
http://bazaar.launchpad.net/~ttx/tomcat6/lucid-sru/revision/22

TEST CASE:
$ sudo apt-get install tomcat6
$ ls -ld /var/lib/tomcat6/webapps
Affected version returns: drwxrwxr-x tomcat6:adm /var/lib/tomcat6/webapps
Fixed version returns: drwxrwxr-x tomcat6:tomcat6 /var/lib/tomcat6/webapps

Regression potential:
Admins might have relied on giving people access to the "adm" group in order to let them deploy tomcat6 webapps, they would need to add their users to the "tomcat6" group instead.

description: updated
Changed in tomcat6 (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
Thierry Carrez (ttx) on 2010-05-21
Changed in tomcat6 (Ubuntu Lucid):
assignee: nobody → Thierry Carrez (ttx)
importance: Undecided → Low
status: New → In Progress
Thierry Carrez (ttx) on 2010-05-21
description: updated
Thierry Carrez (ttx) on 2010-05-21
Changed in tomcat6 (Ubuntu):
status: Confirmed → Fix Committed
Changed in tomcat6 (Ubuntu Lucid):
status: In Progress → Fix Committed

Accepted tomcat6 into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.26-2

---------------
tomcat6 (6.0.26-2) unstable; urgency=low

  * debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP
    as defined in /etc/default/tomcat6 when setting directory permissions and
    authbind configuration (Closes: #581018, LP: #557300)
  * debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for
    permissions in /var/lib/tomcat6, so that group "adm" doesn't get write
    permissions over /var/lib/tomcat6/webapps (LP: #569118)

tomcat6 (6.0.26-1) unstable; urgency=low

  * New upstream version
  * Apply patch from Mark Scott to fix
    tomcat6-instance-create which failed when multiple commandline
    options are provided, fix creation of FULLPATH (Closes: #575580)

tomcat6 (6.0.24-5) unstable; urgency=low

  * Added optimised garbage collection options to tomcat6's default options.
    Thanks to Aaron J. Zirbes and Thierry Carrez for research and the patch.
    (Closes: LP: #541520)
  * Updated the changelog to mention closed CVE's in the 6.0.24-1 release.
  * Applied patch from Arto Jantunen fixing an issue with cleaning up the
    pid-file. (Closes: #574084)

tomcat6 (6.0.24-4) unstable; urgency=low

  * debian/tomcat6.postrm: fix removal of Tomcat (Closes: #567548)
  * Set UTF-8 as default character encoding - Patch by Thomas Koch
    (Closes: #573539)

tomcat6 (6.0.24-3) unstable; urgency=medium

  * Set the major, minor and build versions when calling Ant
    (Closes: LP: #495505)
  * Rebuild with a more recent version of maven-repo-helper which puts
    the javax jars at the correct location in the Maven repository.
    Fixes several FTBFS in other packages.
 -- Thierry Carrez <email address hidden> Fri, 04 Jun 2010 14:12:22 +0100

Changed in tomcat6 (Ubuntu):
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2010-06-11
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.24-2ubuntu1.1

---------------
tomcat6 (6.0.24-2ubuntu1.1) lucid-proposed; urgency=low

  * debian/patches/fix-jsp-regression.patch: Fix regression in JSP compilation
    that resulted in "Duplicate local variable" errors when using Struts 1.2
    or bean:define (LP: #563642)
  * debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP
    as defined in /etc/default/tomcat6 when setting directory permissions and
    authbind configuration (LP: #557300)
  * debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for
    permissions in /var/lib/tomcat6, so that group "adm" doesn't get write
    permissions over /var/lib/tomcat6/webapps (LP: #569118)
 -- Thierry Carrez <email address hidden> Fri, 21 May 2010 10:11:35 +0200

Changed in tomcat6 (Ubuntu Lucid):
status: Fix Committed → Fix Released
tags: added: testcase
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers