Bug#845385: Privilege escalation via removal
Markus Koschany
apo at debian.org
Wed Nov 30 14:18:08 UTC 2016
On 30.11.2016 14:17, Emmanuel Bourg wrote:
> Le 22/11/2016 à 23:35, Paul Szabo a écrit :
>
>> Then if the tomcat8 package is removed (purged?), the postrm script runs
>> chown -Rhf root:root /etc/tomcat8/
>> and that will leave the file world-writable, setgid root
>
> What about switching the files left to nobody:nogroup instead of
> root:root? That would be less disruptive for the stable and oldstable
> updates than removing /etc/tomcat8 completely.
I guess just removing /etc/tomcat8/Catalina would be an option too. As
far as I know nothing else requires it to be present after the removal
of Tomcat. If there were applications with such a dependency we should
take a look at them.
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20161130/671f1f7b/attachment.sig>
More information about the pkg-java-maintainers
mailing list