Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 176701 - tomcat security manager, issues with default webapps & catalina.policy file
Summary: tomcat security manager, issues with default webapps & catalina.policy file
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Java team
URL:
Whiteboard:
Keywords:
Depends on: 428002
Blocks: CVE-2007-5342 322979
  Show dependency tree
 
Reported: 2007-05-01 17:22 UTC by Martin Slota
Modified: 2012-12-07 12:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
working catalina.policy (catalina.policy,12.01 KB, text/plain)
2007-05-01 20:22 UTC, Martin Slota
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Slota 2007-05-01 17:22:36 UTC
Actually, this looks like 2 bugs in one. If I set TOMCAT_START to "start -security", the first thing that is wrong is that /etc/init.d/tomcat-x.y calls something like:

start-stop-daemon --start ...BLABLA... org.apache.catalina.startup.Bootstrap start -security

This doesn't work because Bootstrap expects its arguments in reversed order, i.e. this should be called instead:

start-stop-daemon --start ...BLABLA... org.apache.catalina.startup.Bootstrap -security start

But after fixing this I ran into more problems with permissions. The final solution was to add almost all files under /usr/share/tomcat-x.y to /etc/tomcat-x.y/catalina.policy and set them to full rights. Symlinks must be mentioned separately, otherwise the target libraries don't really get the permissions. My catalina.policy is in the attachment.

Reproducible: Always

Steps to Reproduce:
1. Edit /etc/conf.d/tomcat-x.y and set TOMCAT_START to "start -security"
2. Restart tomcat
Actual Results:  
http://127.0.0.1:8080/ doesn't load

Expected Results:  
http://127.0.0.1:8080/ should load

Portage 2.1.2.2 (default-linux/x86/2006.1, gcc-4.1.1, glibc-2.5-r0, 2.6.18-suspend2-r1 i686)
=================================================================
System uname: 2.6.18-suspend2-r1 i686 Intel(R) Pentium(R) 4 CPU 2.66GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Mon, 30 Apr 2007 19:00:10 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.31-r5
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.15-r1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium4 -fforce-addr -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=pentium4 -fforce-addr -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict userpriv usersandbox"
GENTOO_MIRRORS="http://gentoo.ynet.sk/pub/ http://gentoo.inode.at/ ftp://gd.tuwien.ac.at/opsys/linux/gentoo/"
LANG="sk_SK.UTF-8"
LC_ALL="sk_SK.UTF-8"
LINGUAS="sk en en_US en_GB"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow X a52 aac acl alsa apache2 arts audiofile bash-completion berkdb bitmap-fonts bzip2 cdparanoia cli cracklib crypt ctype cups curl dbus doc dri dts dvd dvdread eds encode esd examples exif fbcon ffmpeg firefox flac foomaticdb fortran ftp gcj gd gdbm gif glut gmp gnome gphoto2 gpm gstreamer gtk hal iconv icq idn imagemagick imlib ipv6 isdnlog java javascript jpeg kde lcms libg++ mad midi mikmod mmx mng motif mozdevelop mozilla mp3 mpeg mysql mysqli ncurses nls nptl nptlonly nsplugin ogg opengl oss pam pcre pdf perl php png ppds pppd python qt3 qt4 quicktime readline reflection samba scanner sdl session slang sndfile speex spell spl sqlite sse sse2 ssl startup-notification svg svga tcltk tcpd tetex theora threads tidy tiff tokenizer truetype truetype-fonts type1-fonts unicode usb v4l vim-syntax vorbis win32codecs wxwindows x86 xcomposite xml xorg xprint xsl xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="sk en en_US en_GB" USERLAND="GNU" VIDEO_CARDS="radeon vesa"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Martin Slota 2007-05-01 20:22:28 UTC
Created attachment 117886 [details]
working catalina.policy
Comment 2 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-05-15 04:45:11 UTC
An initial fixed for this has been committed to tree for both 5.5. and 6.0.x It works for Tomcat, but not the default webapps. Root seemed to work in 6.0.x and might in 5.5. But manager, and host-manager need additional permissions. Patches to files in portage or etc are appreciated.

Beyond that format in conf.d file and also in  init.d file has changed. So instead of 
START="start -security"

it's not

START="-security start"

Clever huh :)

Leaving bug open till all of Tomcat by default can run with security manager, all webapps.
Comment 3 Łukasz Damentko (RETIRED) gentoo-dev 2008-10-30 16:21:01 UTC
Reassigning to herd since wltjr has left Gentoo, bug #135927.
Comment 4 Ralph Sennhauser (RETIRED) gentoo-dev 2012-12-07 12:56:11 UTC
For both tomcat 6 & 7 Gentoo didn't patch the catalina.policy file for quite some time now. If with current releases this is still an issue please file a new bug.

Thanks for the report.