improper group write permission for /var/lib/tomcat6/webapps
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tomcat6 (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Lucid |
Fix Released
|
Low
|
Thierry Carrez |
Bug Description
Binary package hint: tomcat6
On fresh Ubuntu 10.04 LTS install of tomcat6 6.0.24-2ubuntu1, the /var/lib/
/var/lib/
'adm' seems like on odd default choice of group here, since typically people in the adm are allowed to read log files. The following command demonstrates this:
$ sudo find / -group adm -ls
I suggested fix is to change the group to 'tomcat6', since the directory already has 'r-x' for 'other'.
This is not release critical for Lucid, but should be fixed nevertheless.
== SRU Report ==
Impact:
Members of the adm group can modify and deploy tomcat6 webapps. This group is not a tomcat6 admin group, it's a log files reading group.
Development branch fix:
We are trying to keep sync with Debian, fix was proposed to debian-java SVN and pending release.
Minimal patch:
http://
TEST CASE:
$ sudo apt-get install tomcat6
$ ls -ld /var/lib/
Affected version returns: drwxrwxr-x tomcat6:adm /var/lib/
Fixed version returns: drwxrwxr-x tomcat6:tomcat6 /var/lib/
Regression potential:
Admins might have relied on giving people access to the "adm" group in order to let them deploy tomcat6 webapps, they would need to add their users to the "tomcat6" group instead.
description: | updated |
Changed in tomcat6 (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Low |
Changed in tomcat6 (Ubuntu Lucid): | |
assignee: | nobody → Thierry Carrez (ttx) |
importance: | Undecided → Low |
status: | New → In Progress |
description: | updated |
Changed in tomcat6 (Ubuntu): | |
status: | Confirmed → Fix Committed |
Changed in tomcat6 (Ubuntu Lucid): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done removed: verification-needed |
tags: | added: testcase |
Accepted tomcat6 into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you in advance!