Tomcat Web Application Manager does not copy context configuration

Bug #1820288 reported by Arnaud MERGEY
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tomcat8 (Debian)
Fix Released
Unknown
tomcat8 (Ubuntu)
Undecided
Unassigned

Bug Description

Deploying application through "Deploy directory or WAR file located on server" in tomcat manager
does not work anymore since 18.04 (it used to work until 16.04 and is working in regular tomcat)

Context configuration set in "XML Configuration file URL" is not copied anymore in /var/lib/tomcat8/conf/Catalina/localhost as it should.

I have created a simple application to illustrate the issue.

- Copy attached hello.zip in /tmp and unzip it
- From tomcat web manager on the same machine
    - in "Context Path (required)" put /hello
    - in "XML Configuration file URL" set /tmp/hello.xml
    - in "WAR or Directory URL" set /tmp/hello.war
Click deploy

Navigate to http://host:8080/hello/hello
In 16.04 you see "Everything is ok", but in 18.04 and 18.10 you see "You should not be able to read this"
The reason for that is this servlet displays value of an init param that is overridden through a context configuration. as Since 18.04 context is not copied anymore, the non-overridden value is displayed.

ProblemType: Bug
DistroRelease: Ubuntu 18.10
Package: tomcat8-admin (not installed)
ProcVersionSignature: Ubuntu 4.18.0-16.17-generic 4.18.20
Uname: Linux 4.18.0-16-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.10-0ubuntu13.2
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Fri Mar 15 14:59:20 2019
InstallationDate: Installed on 2016-08-12 (945 days ago)
InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
SourcePackage: tomcat8
UpgradeStatus: Upgraded to cosmic on 2018-11-22 (113 days ago)

CVE References

Revision history for this message
Arnaud MERGEY (amergey) wrote :
Revision history for this message
Arnaud MERGEY (amergey) wrote :
Revision history for this message
Arnaud MERGEY (amergey) wrote :

It seems that permission has been changed, in 16.04 localhost privileges are
drwxrwxr-x 2 root tomcat8 4096 Dec 22 10:22 localhost

In 18.04
drwxr-xr-x 2 root tomcat8 4096 Sep 9 19:47 localhost

so write privilege has been removed for tomcat8 group in 18.04. Has manager comes with tomcat8 it does not have permission to deploy application.

More generally I think my bug concern the whole tomcat8-admin package (where manager belongs to) which is not working.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi Arnaud,
this is odd.

In a new Bionic system permossions are ok:
root@b:~# apt install tomcat8 tomcat8-admin
root@b:~# ll /var/lib/tomcat8/conf/Catalina/
total 3
drwxrwxr-x 3 root tomcat8 3 Feb 26 14:16 ./
drwxr-xr-x 4 root root 11 Feb 26 14:16 ../
drwxr-xr-x 2 root tomcat8 4 Feb 26 14:16 localhost/

Similar in Focal:
root@f:~# ll /var/lib/tomcat9/conf/Catalina/
total 3
drwxrwxr-x 3 root tomcat 3 Feb 26 14:17 ./
drwxr-xr-x 4 root root 11 Feb 26 14:17 ../
drwxr-xr-x 2 root tomcat 4 Feb 26 14:17 localhost/

While on xenial:
root@x:~# ll /var/lib/tomcat8/conf/Catalina/
total 3
drwxrwxr-x 3 root tomcat8 3 Feb 26 14:19 ./
drwxr-xr-x 4 root root 10 Feb 26 14:19 ../
drwxrwxr-x 2 root tomcat8 4 Feb 26 14:19 localhost/

So yes the write permission for the tomcat[8] group was removed.
One has to look deeper into "why" and if this is a change that can be reverted.

Marking the bug for deeper checks later on ...

Changed in tomcat8 (Ubuntu):
status: New → Confirmed
tags: added: server-next
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The subfiles are installed via:
debian/tomcat8-admin.install:1:debian/context/manager.xml /etc/tomcat8/Catalina/localhost/
debian/tomcat8-admin.install:2:debian/context/host-manager.xml /etc/tomcat8/Catalina/localhost/

But already when installing tomcat8 the path exists:
$ ll /var/lib/tomcat8/conf/Catalina/
drwxr-xr-x 2 root tomcat8 2 Sep 9 19:47 localhost/

We are looking at 8.0.32-1ubuntu1.11 .. 8.5.39-1ubuntu1~18.04.3 to compare.
Downgrading Bionic to the release version of tomcat8=8.5.30-1ubuntu1 already has the new permissions.

The path isn't owned by a package
# dpkg -S /var/lib/tomcat8/conf/Catalina/
dpkg-query: no path found matching pattern /var/lib/tomcat8/conf/Catalina/
=> so it must be postinst or first service start which creates it.

Uuuh, that is even more interesting.
Stop, remove, restart fixes the permission to what it had in the past:
root@b:~# systemctl stop tomcat8
root@b:~# ll /var/lib/tomcat8/conf/Catalina/
total 3
drwxrwxr-x 3 root tomcat8 3 Feb 27 07:40 ./
drwxr-xr-x 4 root root 11 Feb 27 07:40 ../
drwxr-xr-x 2 root tomcat8 2 Sep 9 19:47 localhost/
root@b:~# rm -rf /var/lib/tomcat8/conf/Catalina/localhost
root@b:~# systemctl start tomcat8
root@b:~# ll /var/lib/tomcat8/conf/Catalina/
total 3
drwxrwxr-x 3 root tomcat8 3 Feb 27 07:41 ./
drwxr-xr-x 4 root root 11 Feb 27 07:40 ../
drwxr-x--- 2 tomcat8 tomcat8 2 Feb 27 07:41 localhost

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

On install it already changes from:
drwxr-xr-x 2 root root 2 Sep 9 19:47 localhost/
(unpack)
to
drwxr-xr-x 2 root tomcat8 2 Sep 9 19:47 localhost/
(after postinst and service start)

This is confirmed by doing it without postinst:
root@b:~# apt download tomcat8
Get:1 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 tomcat8 all 8.5.39-1ubuntu1~18.04.3 [46.4 kB]
Fetched 46.4 kB in 0s (449 kB/s)

root@b:~# sudo dpkg --unpack tomcat8_8.5.39-1ubuntu1~18.04.3_all.deb
Selecting previously unselected package tomcat8.
(Reading database ... 42649 files and directories currently installed.)
Preparing to unpack tomcat8_8.5.39-1ubuntu1~18.04.3_all.deb ...
Unpacking tomcat8 (8.5.39-1ubuntu1~18.04.3) ...
Processing triggers for systemd (237-3ubuntu10.38) ...
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for rsyslog (8.32.0-1ubuntu4) ...

root@b:~# sudo mv /var/lib/dpkg/info/tomcat8.postinst /root/tomcat8-manual.postinst

root@b:~# sudo dpkg --configure tomcat8
Setting up tomcat8 (8.5.39-1ubuntu1~18.04.3) ...
Processing triggers for systemd (237-3ubuntu10.38) ...
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for rsyslog (8.32.0-1ubuntu4) ...

root@b:~# ll /var/lib/tomcat8/conf/Catalina/
total 3
drwxr-xr-x 3 root root 3 Feb 27 07:47 ./
drwxr-xr-x 4 root root 11 Feb 27 07:48 ../
drwxr-xr-x 2 root root 2 Sep 9 19:47 localhost/
root@b:~#

Lets take apart the rather complex postinst which command will change the ownership

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Arr, I'm blind - it could have been so easy:
lrwxrwxrwx 1 root root 12 Sep 9 19:47 /var/lib/tomcat8/conf -> /etc/tomcat8/

So actually
/var/lib/tomcat8/conf/Catalina/localhost == /etc/tomcat8/Catalina/localhost/

And that is set in postinst in:
  chown -Rh root:$TOMCAT8_GROUP /etc/tomcat8/Catalina

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The permission difference 775 vs 755 isn't in the same place.
The chown is from the postinst, but the initial (and never changed) 775/755 is from unpack:

If I just unpack tomcat8 on Xenial and Bionic I already get:

root@x:~# ll /etc/tomcat8/Catalina/
total 3
drwxr-xr-x 3 root root 3 Feb 27 08:09 ./
drwxr-xr-x 4 root root 10 Feb 27 08:09 ../
drwxrwxr-x 2 root root 2 Jan 24 19:34 localhost/

root@b:~# ll /etc/tomcat8/Catalina/
total 3
drwxr-xr-x 3 root root 3 Feb 27 08:09 ./
drwxr-xr-x 4 root root 11 Feb 27 08:09 ../
drwxr-xr-x 2 root root 2 Sep 9 19:47 localhost/

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Comparing build logs I see:

Xenial:
dh_fixperms
# Make the/etc/tomcat8/Catalina/localhost directory writable by the tomcat user
for PACKAGE in tomcat8 tomcat8-admin tomcat8-docs tomcat8-examples; do \
  chmod 775 --verbose debian/$PACKAGE/etc/tomcat8/Catalina/localhost; \
done
mode of 'debian/tomcat8/etc/tomcat8/Catalina/localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)
mode of 'debian/tomcat8-admin/etc/tomcat8/Catalina/localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)
mode of 'debian/tomcat8-docs/etc/tomcat8/Catalina/localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)
mode of 'debian/tomcat8-examples/etc/tomcat8/Catalina/localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)

And Bionic lacks the same.

That change was in debian/rules and dropped this:
-override_dh_fixperms:
- dh_fixperms
- # Make the/etc/tomcat8/Catalina/localhost directory writable by the tomcat user
- for PACKAGE in tomcat8 tomcat8-admin tomcat8-docs tomcat8-examples; do \
- chmod 775 --verbose debian/$$PACKAGE/etc/tomcat8/Catalina/localhost; \
- done

In Xenial that was added by pkg/import/8.0.32-1ubuntu1.3:
      * SECURITY UPDATE: privilege escalation during package upgrade
        - debian/rules, debian/tomcat8.postinst: properly set permissions on
          /etc/tomcat8/Catalina/localhost.
        - CVE-2016-9774

From there we can check the USN
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9774.html

Now things make sense:
1. in the past the postinst set 775
   -> that could be exploited
2. Xenial got a change that already at build time the permissions are set 775 (fixing the CVE)
3. Bionic (and others) post
   See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845393

Since then it is 755 and not changed on install.
@Arnaud - the argument in the Debian bug above was that there would be no valid use case for it to be writable. You seem to be able to describe a valid use case for it.

Would you mind chiming in on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845393 and explaining the use case, maybe suggesting the fix in xenial https://git.launchpad.net/ubuntu/+source/tomcat8/tree/debian/rules?h=ubuntu/xenial-devel#n56 to make it a build time (instead of poisinst) change?

Changed in tomcat8 (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Marking incomplete waiting for the debian discusison to happen to then jointly go on on this.

Subscribing security to chime in if needed as it was initially a CVE

Changed in tomcat8 (Debian):
status: Unknown → Fix Released
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks for all the debugging Christian! Very useful :)

I also did some investigation and this behavior is expected by the Debian maintainers. According to the maintainers the current implementation does not support using copyXML=true, because in this case when the app is deployed the context file in APP/META-INF/context.xml is copied into /etc/tomcat8/Catalina/localhost. The Debian maintainers believe the copyXML=true option is not that useful and they would accept a good use case to justify making /etc/tomcat8/Catalina/localhost writable by tomcat. They also acknowledged that tomcat should not create files in /etc during runtime, so they changed the way it works in tomcat9.

The use case Arnaud presented in the bug description was very well defined and it is reproducible (thanks!). However, there is a simple workaround for this in Bionic if you do not use the admin web interface to deploy it. You can edit the hello.xml file in the root of the attached zip file and leave it like this:

<?xml version="1.0" encoding="UTF-8"?>
<Context docBase="/tmp/hello.war">
 <Parameter name="helloMessage" value="Everything is ok" override="1" />
</Context>

Note I added docBase="/tmp/hello.war" in the Context tag. After that you copy it to /etc/tomcat8/Catalina/localhost/ and restart tomcat. Then you can access https://IP_ADDRESS:8080/hello/hello and see "Everything is ok".

Feel free to engage with the Debian maintainers on this discussion. If you come up with a solution we can discuss about a SRU.

tags: removed: server-next
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.