[Bug 569118] Re: improper group write permission for /var/lib/tomcat6/webapps

[Thierry Carrez]

** Description changed:

  Binary package hint: tomcat6
  
  On fresh Ubuntu 10.04 LTS install of tomcat6 6.0.24-2ubuntu1, the /var/lib/tomcat6/webapps has the following permissions:
  /var/lib/tomcat6/webapps drwxrwxr-x tomcat6 adm
  
  'adm' seems like on odd default choice of group here, since typically people in the adm are allowed to read log files. The following command demonstrates this:
  $ sudo find / -group adm -ls
  
  I suggested fix is to change the group to 'tomcat6', since the directory
  already has 'r-x' for 'other'.
  
  This is not release critical for Lucid, but should be fixed
  nevertheless.
+ 
+ == SRU Report ==
+ Impact:
+ Members of the adm group can modify and deploy tomcat6 webapps. This group is not a tomcat6 admin group, it's a log files reading group.
+ 
+ Development branch fix:
+ We are trying to keep sync with Debian, fix was proposed to debian-java SVN and pending release.
+ 
+ Minimal patch:
+ http://bazaar.launchpad.net/~ttx/tomcat6/lucid-sru/revision/22
+ 
+ TEST CASE:
+ $ sudo apt-get install tomcat6
+ $ ls -ld /var/lib/tomcat6/webapps
+ Affected version returns: drwxrwxr-x tomcat6:adm /var/lib/tomcat6/webapps
+ Fixed version returns: drwxrwxr-x tomcat6:tomcat6 /var/lib/tomcat6/webapps
+ 
+ Regression potential:
+ Admins might have relied on giving people access to the "adm" group in order to let them deploy tomcat6 webapps, they would need to add their users to the "tomcat6" group instead.

-- 
improper group write permission for /var/lib/tomcat6/webapps
https://bugs.launchpad.net/bugs/569118
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to tomcat6 in ubuntu.