diff --git a/tomcat-7.0.init b/tomcat-7.0.init index c020083..f3a4f2b 100644 --- a/tomcat-7.0.init +++ b/tomcat-7.0.init @@ -66,6 +66,9 @@ TOMCAT_PROG="${NAME}" # Define the tomcat username TOMCAT_USER="${TOMCAT_USER:-tomcat}" +# Define the tomcat group +TOMCAT_GROUP="${TOMCAT_GROUP:-`id -gn $TOMCAT_USER`}" + # Define the tomcat log file TOMCAT_LOG="${TOMCAT_LOG:-${CATALINA_HOME}/logs/${NAME}-initd.log}" @@ -122,7 +125,7 @@ function makeHomeDir() { cp -pLR /usr/share/${NAME}/conf $CATALINA_HOME ln -fs /usr/share/java/tomcat ${CATALINA_HOME}/lib ln -fs /usr/share/tomcat/webapps ${CATALINA_HOME}/webapps - chown ${TOMCAT_USER}:${TOMCAT_USER} /var/log/${NAME} + install -o ${TOMCAT_USER} -g ${TOMCAT_GROUP} -d -m 0770 /var/log/${NAME} fi } @@ -166,11 +169,13 @@ function start() { # fix permissions on the log and pid files touch $CATALINA_PID 2>&1 || RETVAL="4" if [ "$RETVAL" -eq "0" -a "$?" -eq "0" ]; then - chown ${TOMCAT_USER}:${TOMCAT_USER} $CATALINA_PID + install -o ${TOMCAT_USER} -g ${TOMCAT_GROUP} -m 644 /dev/null "${CATALINA_PID}" fi [ "$RETVAL" -eq "0" ] && touch $TOMCAT_LOG 2>&1 || RETVAL="4" if [ "$RETVAL" -eq "0" -a "$?" -eq "0" ]; then - chown ${TOMCAT_USER}:${TOMCAT_USER} $TOMCAT_LOG + if [ ! -f "${TOMCAT_LOG}" ]; then + install -o ${TOMCAT_USER} -g ${TOMCAT_GROUP} -m 644 /dev/null "${TOMCAT_LOG}" + fi fi if [ "$CATALINA_HOME" != "/usr/share/tomcat" -a "$RETVAL" -eq "0" ]; then # Create a tomcat directory if it doesn't exist diff --git a/tomcat.spec b/tomcat.spec index 2db8839..edbfc34 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -640,6 +640,7 @@ fi %changelog * Fri Sep 23 2016 Coty Sutherland 0:7.0.70-4 - Resolves: rhbz#1375582 CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header +- Resolves: rhbz#1376718 CVE-2016-1240 tomcat: Local privilege escalation via unsafe file handling in the Tomcat init script * Wed Aug 17 2016 Coty Sutherland 0:7.0.70-3 - Resolves: rhbz#1170797 remove tomcat6 dependency on redhat-lsb (and any other unnecessary ones)