Gentoo Bug 59232 - www-servers/tomcat 5.0.27-r1 ebuild does insecure installation

First Last Prev Next No search results available Search page Enter new bug

Bug#:	59232
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Tero Pelander <tpeland@tkukoulu.fi>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:		Requestee:
	Pending
	Approved
mholzer:	Assigned_To	()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 59232 depends on:			Show dependency tree
Bug 59232 blocks:			Show dependency tree

Votes:	0 Show votes for this bug Vote for this bug

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2004-08-02 23:35 0000

If non-root user has access to tomcat group and tomcat is started by default
configuration then the user has root rights.

Due to following code in ebuild
pkg_preinst() { ... chown -R tomcat:tomcat ${D} ... }
the files /etc/init.d/tomcat5 and /etc/conf.d/tomcat5 are owned by
tomcat:tomcat. When the service is started at server startup the actions are
done as root.


Reproducible: Always
Steps to Reproduce:

------- Comment #1 From Thierry Carrez (RETIRED) 2004-08-03 08:03:55 0000 -------

This effectively allow privilege escalation from tomcat group users to root.

ebuild should be corrected so that init and conf files are owned by root.

------- Comment #2 From Thomas Matthijs (RETIRED) 2004-08-06 07:36:28 0000 -------

i believe this is fixed in
tomcat-3.3.2-r2
tomcat-4.1.30-r4
tomcat-5.0.27-r3

------- Comment #3 From Thierry Carrez (RETIRED) 2004-08-07 03:12:59 0000 -------

Thanks axxo.
Ready for a GLSA -- if we decide one is needed

------- Comment #4 From Kurt Lieber 2004-08-08 12:22:17 0000 -------

we need a GLSA on this one.  local root exploit == bad.

------- Comment #5 From Sune Kloppenborg Jeppesen 2004-08-15 08:37:37 0000 -------

GLSA 200408-15

------- Comment #6 From Stuart Herbert (RETIRED) 2004-08-15 09:23:39 0000 -------

FYI,

Tomcat was moved from net-www to www-servers a week ago.

Best regards,
Stu

------- Comment #7 From Sune Kloppenborg Jeppesen 2004-08-15 11:18:53 0000 -------

Fixed.

Thx Stu

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 59232

www-servers/tomcat 5.0.27-r1 ebuild does insecure installation

Last modified: 2004-08-15 11:18:53 0000