[Bug 520038] New: tomcat security update broke Tomcat6
http://bugzilla.novell.com/show_bug.cgi?id=520038 Summary: tomcat security update broke Tomcat6 Classification: openSUSE Product: openSUSE 11.0 Version: Final Platform: Other OS/Version: openSUSE 11.0 Status: NEW Severity: Critical Priority: P5 - None Component: Apache AssignedTo: bnc-team-apache@forge.provo.novell.com ReportedBy: marc@marcchamberlin.com QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11) Gecko/2009060200 SUSE/3.0.11-0.1 Firefox/3.0.11 I just received a security update for Tomcat6 and it has broke the server. I had an install error that I traced to an attempt to overwrite the Catalina directory with a link so I temporarly removed the Catalina directory to allow the install to proceed. Now I have script errors and apparently directories misplaced and am in the process of trying to fix this mess. I will report back as I discover things but someone somewhere has really mucked up Tomcat6 with this latest security release... Reproducible: Always Steps to Reproduce: 1. Install the security update, it breaks. 2. Follow what I described in the Details section to get the install to work. 3. Try doing something like rctomcat stop or rctomcat restart Actual Results: doing an rctomcat stop (ditto for rctomcat restart) gave me stuff like the following - rctomcat6 stop Stopping rctomcat6: ERROR: List of process IDs must follow --pid. ********* simple selection ********* ********* selection by list ********* -A all processes -C by command name -N negate selection -G by real group ID (supports names) -a all w/ tty except session leaders -U by real user ID (supports names) -d all except session leaders -g by session OR by effective group name -e all processes -p by process ID T all processes on this terminal -s processes in the sessions given a all w/ tty, including other users -t by tty g OBSOLETE -- DO NOT USE -u by effective user ID (supports names) r only running processes U processes for specified users x processes w/o controlling ttys t by tty *********** output format ********** *********** long options *********** -o,o user-defined -f full --Group --User --pid --cols --ppid -j,j job control s signal --group --user --sid --rows --info -O,O preloaded -o v virtual memory --cumulative --format --deselect -l,l long u user-oriented --sort --tty --forest --version -F extra full X registers --heading --no-heading --context ********* misc options ********* -V,V show version L list format codes f ASCII art forest -m,m,-L,-T,H threads S children in sum -y change -l format -M,Z security data c true command name -c scheduling class -w,w wide output n numeric WCHAN,UID -H process hierarchy Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. /usr/sbin/rctomcat6: line 244: [: : integer expression expected Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. ERROR: List of process IDs must follow --pid. ********* simple selection ********* ********* selection by list ********* -A all processes -C by command name -N negate selection -G by real group ID (supports names) -a all w/ tty except session leaders -U by real user ID (supports names) -d all except session leaders -g by session OR by effective group name -e all processes -p by process ID T all processes on this terminal -s processes in the sessions given a all w/ tty, including other users -t by tty g OBSOLETE -- DO NOT USE -u by effective user ID (supports names) r only running processes U processes for specified users x processes w/o controlling ttys t by tty *********** output format ********** *********** long options *********** -o,o user-defined -f full --Group --User --pid --cols --ppid -j,j job control s signal --group --user --sid --rows --info -O,O preloaded -o v virtual memory --cumulative --format --deselect -l,l long u user-oriented --sort --tty --forest --version -F extra full X registers --heading --no-heading --context ********* misc options ********* -V,V show version L list format codes f ASCII art forest -m,m,-L,-T,H threads S children in sum -y change -l format -M,Z security data c true command name -c scheduling class -w,w wide output n numeric WCHAN,UID -H process hierarchy /usr/sbin/rctomcat6: line 244: [: : integer expression expected ERROR: List of process IDs must follow --pid. ********* simple selection ********* ********* selection by list ********* -A all processes -C by command name -N negate selection -G by real group ID (supports names) -a all w/ tty except session leaders -U by real user ID (supports names) -d all except session leaders -g by session OR by effective group name -e all processes -p by process ID T all processes on this terminal -s processes in the sessions given a all w/ tty, including other users -t by tty g OBSOLETE -- DO NOT USE -u by effective user ID (supports names) r only running processes U processes for specified users x processes w/o controlling ttys t by tty *********** output format ********** *********** long options *********** -o,o user-defined -f full --Group --User --pid --cols --ppid -j,j job control s signal --group --user --sid --rows --info -O,O preloaded -o v virtual memory --cumulative --format --deselect -l,l long u user-oriented --sort --tty --forest --version -F extra full X registers --heading --no-heading --context ********* misc options ********* -V,V show version L list format codes f ASCII art forest -m,m,-L,-T,H threads S children in sum -y change -l format -M,Z security data c true command name -c scheduling class -w,w wide output n numeric WCHAN,UID -H process hierarchy Usage: grep [OPTION]... PATTERN [FILE]... Expected Results: Should have been able to stop and restart the tomcat6 server as it normally is done. Somehow doing a rctomcat start will start the server but it is no longer using the webapps directories under /srv/tomcat6 but is bringing up the basic tomcat documentation sample. So something else has also gone wrong with this install that I do not yet understand. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=520038
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=520038
User mvyskocil@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=520038#c1
Michal Vyskocil
http://bugzilla.novell.com/show_bug.cgi?id=520038
Michal Vyskocil
http://bugzilla.novell.com/show_bug.cgi?id=520038
User mvyskocil@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=520038#c2
--- Comment #2 from Michal Vyskocil
http://bugzilla.novell.com/show_bug.cgi?id=520038
User mvyskocil@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=520038#c3
Michal Vyskocil
http://bugzilla.novell.com/show_bug.cgi?id=520038
User marc@marcchamberlin.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=520038#c4
--- Comment #4 from Marc Chamberlin
http://bugzilla.novell.com/show_bug.cgi?id=520038
User mvyskocil@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=520038#c5
--- Comment #5 from Michal Vyskocil
Ok Michal, the patch did restore the ability to stop and restart the tomcat6 server, but stopping seems to be taking an extraordinary long time. So thanks for fixing it.
Please give me an output of sh -x /etc/init.d/tomcat6 stop, I'll try to check, where's the problem. The tomcat6 on 11.0 used init script from jpackage.org project, which was replaced by own SUSE version in 11.1, so there might be problems.
In trying to get things back to a working state (and again the only thing that has happened, which affected the tomcat6 server, was this security update I got, so I do not know if it is the cause of these problems, or just exposed them) I discovered a couple other problems...
1. I deleted all the log files under /var/log/tomcat6 in order to get fresh copies of them. Subsequently I restarted the tomcat6 server using "rctomcat6 restart" and it failed. I noted that it had attempted to create the log file - catalina.out with an owner of root and permissions of rw-r-r and then it subsequently tried to write to this file with a user id of tomcat which causes the failure. So something in the scripts is setting up the catalina.out file with the wrong user and permissions. I manually changed the permissions to rw-rw-r and that worked (on my system I also made the tomcat user a member of the root group) Once up and running, I noted that the owner of catalina.out had changed to the tomcat user.. Interesting!
That's strange, because there's a following sequence in function start 180 # fix permissions on the log and pid files 181 export CATALINA_PID="/var/run/${NAME}.pid" 182 touch $CATALINA_PID 183 chown ${TOMCAT_USER}:${TOMCAT_USER} $CATALINA_PID 184 touch $TOMCAT_LOG 185 chown ${TOMCAT_USER}:${TOMCAT_USER} $TOMCAT_LOG Could you give me an output of sh -x again?
2. A more serious error also took place in my webapps/ROOT directory. My own index.html file that was located there, was replaced by the default index.html file that comes with the base tomcat6 installation. In other words, the index.html that the Jakarta-Apache folks supply showing documentation on the tomcat server itself. THIS HAD TO HAVE RESULTED SOMEHOW FROM THIS SECURITY UPDATE!!! I have NOT changed anything else in these directories for some time now. (Good thing I have everything in the webapps directory backed up so I was able to restore it easily enough)
That's a serious problem. Those files needs to be marked as %config(noreplace) to avoid it in future. I moved this issue to another bug#520532 - I added you to CC, so feel free to comment it there. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=520038
User marc@marcchamberlin.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=520038#c6
--- Comment #6 from Marc Chamberlin
http://bugzilla.novell.com/show_bug.cgi?id=520038
User marc@marcchamberlin.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=520038#c7
Marc Chamberlin
http://bugzilla.novell.com/show_bug.cgi?id=520038
User mvyskocil@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=520038#c8
--- Comment #8 from Michal Vyskocil
http://bugzilla.novell.com/show_bug.cgi?id=520038
User mvyskocil@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=520038#c9
Michal Vyskocil
michal Here is the output from doing a stop on the tomcat server. Looks like a loop is taking place and timing out while tracking down the process id?
I'm not sure where's the problem. The tomcat is stopped using following call
+ /bin/su - tomcat -c ' export JAVA_HOME="/etc/alternatives/jre" ; export CATALINA_BASE="/usr/share/tomcat6" ; export CATALINA_HOME="/usr/share/tomcat6" ; export JASPER_HOME="/usr/share/tomcat6" ; export CATALINA_TMPDIR="/var/cache/tomcat6/temp" ; export TOMCAT_USER="tomcat" ; export SECURITY_MANAGER="false" ; export SHUTDOWN_WAIT="30" ; export SHUTDOWN_VERBOSE="false" ; export CATALINA_PID="/var/run/tomcat6.pid" ; export JAVA_HOME="" ; export JAVA_OPTS="" ; export TOMCAT_OPTS="" ; export CATALINA_OPTS="" ; /usr/bin/dtomcat6 stop'
Where is something like elif [ "$1" = "stop" ]; then ${JAVA_HOME}/bin/java $JAVA_OPTS \ -classpath "$CLASSPATH" \ -Dcatalina.base="$CATALINA_BASE" \ -Dcatalina.home="$CATALINA_HOME" \ -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \ -Djava.io.tmpdir="$CATALINA_TMPDIR" \ org.apache.catalina.startup.Bootstrap stop \ >> ${CATALINA_BASE}/logs/catalina.out 2>&1 Which may stop the daemon. I'm unsure about return value, but it seems that nonzero is an error (eg. no process is running) and zero is successful start of stopping. Maybe there is anything in logs which causes a long time to stop ... can you test? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=520038
User mvyskocil@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=520038#c10
--- Comment #10 from Michal Vyskocil
http://bugzilla.novell.com/show_bug.cgi?id=520038
User thomas@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=520038#c11
--- Comment #11 from Thomas Biege
http://bugzilla.novell.com/show_bug.cgi?id=520038
User mvyskocil@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=520038#c12
Michal Vyskocil
http://bugzilla.novell.com/show_bug.cgi?id=520038
User marc@marcchamberlin.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=520038#c13
Marc Chamberlin
https://bugzilla.novell.com/show_bug.cgi?id=520038
https://bugzilla.novell.com/show_bug.cgi?id=520038#c14
Marcus Meissner
participants (1)
-
bugzilla_noreply@novell.com