Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 59232 - www-servers/tomcat 5.0.27-r1 ebuild does insecure installation
Summary: www-servers/tomcat 5.0.27-r1 ebuild does insecure installation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2004-08-02 23:35 UTC by Tero Pelander
Modified: 2011-10-30 22:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---
mholzer: Assigned_To? (java)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tero Pelander 2004-08-02 23:35:54 UTC
If non-root user has access to tomcat group and tomcat is started by default configuration then the user has root rights.

Due to following code in ebuild
pkg_preinst() { ... chown -R tomcat:tomcat ${D} ... }
the files /etc/init.d/tomcat5 and /etc/conf.d/tomcat5 are owned by tomcat:tomcat. When the service is started at server startup the actions are done as root.


Reproducible: Always
Steps to Reproduce:
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-08-03 08:03:55 UTC
This effectively allow privilege escalation from tomcat group users to root.

ebuild should be corrected so that init and conf files are owned by root.
Comment 2 Thomas Matthijs (RETIRED) gentoo-dev 2004-08-06 07:36:28 UTC
i believe this is fixed in
tomcat-3.3.2-r2
tomcat-4.1.30-r4
tomcat-5.0.27-r3
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-08-07 03:12:59 UTC
Thanks axxo.
Ready for a GLSA -- if we decide one is needed
Comment 4 Kurt Lieber (RETIRED) gentoo-dev 2004-08-08 12:22:17 UTC
we need a GLSA on this one.  local root exploit == bad.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-15 08:37:37 UTC
GLSA 200408-15
Comment 6 Stuart Herbert (RETIRED) gentoo-dev 2004-08-15 09:23:39 UTC
FYI,

Tomcat was moved from net-www to www-servers a week ago.

Best regards,
Stu
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-15 11:18:53 UTC
Fixed.

Thx Stu