Bug#461355: tomcat5.5: More restrictive JULI permissions break java.util.logging.

[Alexander Hvostov]

On Sunday 20 January 2008, you wrote:
> Upstream has this in catalina.properties (in SVN, not yet released).
>
>         // To enable per context logging configuration, permit read
> access to the appropriate file. // Be sure that the logging
> configuration is secure before enabling such access // eg for the
> examples web application:
>         // permission java.io.FilePermission
> "${catalina.base}${file.separator}webapps${file.separator}examples${fil
>e.separator}WEB-INF${file.separator}classes${file.separator}logging.prop
>erties", "read";

Yes, you can find that text in /etc/tomcat5.5/policy.d/03catalina.policy 
in Debian. However, this isn't automatic -- the provided rule only 
applies to the example webapps, and similar rules have to be added for 
every webapp that uses java.util.logging.

> > I'm afraid this is a far bigger project than I'm willing to take on,
> > but perhaps someone among the Apache folks will do it, so why not
> > forward this bug upstream?
>
> Is this really a bug upstream? We should not report bugs there that are
> none there. Can someone build upstream SVN and test that a bit?

I'm building it now. It's downloading all the dependencies and that's 
going to take a while, but I'll say what my results are.

For now, it does indeed appear to be an upstream bug, since upstream code 
is neither failing gracefully nor dynamically adjusting the policy, thus 
causing default installations to fail unless the policy is manually 
modified.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20080120/00a74861/attachment-0001.pgp