Ubuntu
tomcat8 package

Bug #1820288
Comment #9

Comment 9 for bug 1820288

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-02-27:

Comparing build logs I see:

Xenial:
dh_fixperms
# Make the/etc/tomcat8/Catalina/localhost directory writable by the tomcat user
for PACKAGE in tomcat8 tomcat8-admin tomcat8-docs tomcat8-examples; do \
chmod 775 --verbose debian/$PACKAGE/etc/tomcat8/Catalina/localhost; \
done
mode of 'debian/tomcat8/etc/tomcat8/Catalina/localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)
mode of 'debian/tomcat8-admin/etc/tomcat8/Catalina/localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)
mode of 'debian/tomcat8-docs/etc/tomcat8/Catalina/localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)
mode of 'debian/tomcat8-examples/etc/tomcat8/Catalina/localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)

And Bionic lacks the same.

That change was in debian/rules and dropped this:
-override_dh_fixperms:
- dh_fixperms
- # Make the/etc/tomcat8/Catalina/localhost directory writable by the tomcat user
- for PACKAGE in tomcat8 tomcat8-admin tomcat8-docs tomcat8-examples; do \
- chmod 775 --verbose debian/$$PACKAGE/etc/tomcat8/Catalina/localhost; \
- done

In Xenial that was added by pkg/import/8.0.32-1ubuntu1.3:
      * SECURITY UPDATE: privilege escalation during package upgrade
        - debian/rules, debian/tomcat8.postinst: properly set permissions on
          /etc/tomcat8/Catalina/localhost.
        - CVE-2016-9774

From there we can check the USN
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9774.html

Now things make sense:
1. in the past the postinst set 775
-> that could be exploited
2. Xenial got a change that already at build time the permissions are set 775 (fixing the CVE)
3. Bionic (and others) post
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845393

Since then it is 755 and not changed on install.
@Arnaud - the argument in the Debian bug above was that there would be no valid use case for it to be writable. You seem to be able to describe a valid use case for it.

Would you mind chiming in on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845393 and explaining the use case, maybe suggesting the fix in xenial https://git.launchpad.net/ubuntu/+source/tomcat8/tree/debian/rules?h=ubuntu/xenial-devel#n56 to make it a build time (instead of poisinst) change?

Comparing build logs I see:

Xenial:
dh_fixperms
# Make the/etc/tomcat8/Catalina/localhost directory writable by the tomcat user
for PACKAGE in tomcat8 tomcat8-admin tomcat8-docs tomcat8-examples; do \
  chmod 775 --verbose debian/$PACKAGE/etc/tomcat8/Catalina/localhost; \
done
mode of 'debian/tomcat8/etc/tomcat8/Catalina/localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)
mode of 'debian/tomcat8-admin/etc/tomcat8/Catalina/localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)
mode of 'debian/tomcat8-docs/etc/tomcat8/Catalina/localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)
mode of 'debian/tomcat8-examples/etc/tomcat8/Catalina/localhost' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)

And Bionic lacks the same.

That change was in debian/rules and dropped this:
-override_dh_fixperms:
-       dh_fixperms
-       # Make the/etc/tomcat8/Catalina/localhost directory writable by the tomcat user
-       for PACKAGE in tomcat8 tomcat8-admin tomcat8-docs tomcat8-examples; do \
-         chmod 775 --verbose debian/$$PACKAGE/etc/tomcat8/Catalina/localhost; \
-       done

From there we can check the USN
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9774.html

Now things make sense:
1. in the past the postinst set 775
   -> that could be exploited
2. Xenial got a change that already at build time the permissions are set 775 (fixing the CVE)
3. Bionic (and others) post 
   See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845393

Ubuntutomcat8 package

Comment 9 for bug 1820288

Ubuntu
tomcat8 package