Bug#845385: Privilege escalation via removal
Markus Koschany
apo at debian.org
Tue Nov 29 23:20:35 UTC 2016
I think the solution is quite simple.
Let's replace
chown -Rhf root:root /etc/tomcat8/ || true
with
rm -rf /etc/tomcat8
I mean purge means purge. Remove all files, don't leave anything behind.
As another improvement suggestion for Tomcat 9, we could stop deleting
the tomcat user on purge and let the admin decide. I believe this is
even consensus within the project and will protect against reusing files
with the old GID and UID for something unintended.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20161130/525feec8/attachment.sig>
More information about the pkg-java-maintainers
mailing list