If non-root user has access to tomcat group and tomcat is started by default configuration then the user has root rights. Due to following code in ebuild pkg_preinst() { ... chown -R tomcat:tomcat ${D} ... } the files /etc/init.d/tomcat5 and /etc/conf.d/tomcat5 are owned by tomcat:tomcat. When the service is started at server startup the actions are done as root. Reproducible: Always Steps to Reproduce:
This effectively allow privilege escalation from tomcat group users to root. ebuild should be corrected so that init and conf files are owned by root.
i believe this is fixed in tomcat-3.3.2-r2 tomcat-4.1.30-r4 tomcat-5.0.27-r3
Thanks axxo. Ready for a GLSA -- if we decide one is needed
we need a GLSA on this one. local root exploit == bad.
GLSA 200408-15
FYI, Tomcat was moved from net-www to www-servers a week ago. Best regards, Stu
Fixed. Thx Stu