Xenial:
dh_fixperms
# Make the/etc/tomcat8/Catalina/localhost directory writable by the tomcat user
for PACKAGE in tomcat8 tomcat8-admin tomcat8-docs tomcat8-examples; do \
chmod 775 --verbose debian/$PACKAGE/etc/tomcat8/Catalina/localhost; \
done
mode of 'debian/tomcat8/etc/tomcat8/Catalina/localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)
mode of 'debian/tomcat8-admin/etc/tomcat8/Catalina/localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)
mode of 'debian/tomcat8-docs/etc/tomcat8/Catalina/localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)
mode of 'debian/tomcat8-examples/etc/tomcat8/Catalina/localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)
And Bionic lacks the same.
That change was in debian/rules and dropped this:
-override_dh_fixperms:
- dh_fixperms
- # Make the/etc/tomcat8/Catalina/localhost directory writable by the tomcat user
- for PACKAGE in tomcat8 tomcat8-admin tomcat8-docs tomcat8-examples; do \
- chmod 775 --verbose debian/$$PACKAGE/etc/tomcat8/Catalina/localhost; \
- done
In Xenial that was added by pkg/import/8.0.32-1ubuntu1.3:
* SECURITY UPDATE: privilege escalation during package upgrade
- debian/rules, debian/tomcat8.postinst: properly set permissions on /etc/tomcat8/Catalina/localhost.
- CVE-2016-9774
Now things make sense:
1. in the past the postinst set 775
-> that could be exploited
2. Xenial got a change that already at build time the permissions are set 775 (fixing the CVE)
3. Bionic (and others) post
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845393
Since then it is 755 and not changed on install.
@Arnaud - the argument in the Debian bug above was that there would be no valid use case for it to be writable. You seem to be able to describe a valid use case for it.
Comparing build logs I see:
Xenial: tomcat8/ Catalina/ localhost directory writable by the tomcat user $PACKAGE/ etc/tomcat8/ Catalina/ localhost; \ tomcat8/ etc/tomcat8/ Catalina/ localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x) tomcat8- admin/etc/ tomcat8/ Catalina/ localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x) tomcat8- docs/etc/ tomcat8/ Catalina/ localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x) tomcat8- examples/ etc/tomcat8/ Catalina/ localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)
dh_fixperms
# Make the/etc/
for PACKAGE in tomcat8 tomcat8-admin tomcat8-docs tomcat8-examples; do \
chmod 775 --verbose debian/
done
mode of 'debian/
mode of 'debian/
mode of 'debian/
mode of 'debian/
And Bionic lacks the same.
That change was in debian/rules and dropped this: dh_fixperms: tomcat8/ Catalina/ localhost directory writable by the tomcat user $$PACKAGE/ etc/tomcat8/ Catalina/ localhost; \
-override_
- dh_fixperms
- # Make the/etc/
- for PACKAGE in tomcat8 tomcat8-admin tomcat8-docs tomcat8-examples; do \
- chmod 775 --verbose debian/
- done
In Xenial that was added by pkg/import/ 8.0.32- 1ubuntu1. 3: tomcat8. postinst: properly set permissions on
/etc/ tomcat8/ Catalina/ localhost.
* SECURITY UPDATE: privilege escalation during package upgrade
- debian/rules, debian/
- CVE-2016-9774
From there we can check the USN /people. canonical. com/~ubuntu- security/ cve/2016/ CVE-2016- 9774.html
https:/
Now things make sense: /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 845393
1. in the past the postinst set 775
-> that could be exploited
2. Xenial got a change that already at build time the permissions are set 775 (fixing the CVE)
3. Bionic (and others) post
See https:/
Since then it is 755 and not changed on install.
@Arnaud - the argument in the Debian bug above was that there would be no valid use case for it to be writable. You seem to be able to describe a valid use case for it.
Would you mind chiming in on https:/ /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 845393 and explaining the use case, maybe suggesting the fix in xenial https:/ /git.launchpad. net/ubuntu/ +source/ tomcat8/ tree/debian/ rules?h= ubuntu/ xenial- devel#n56 to make it a build time (instead of poisinst) change?