Hello community, here is the log from the commit of package tomcat for openSUSE:Factory checked in at 2020-07-31 15:55:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tomcat (Old) and /work/SRC/openSUSE:Factory/.tomcat.new.3592 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "tomcat" Fri Jul 31 15:55:04 2020 rev:70 rq:823636 version:9.0.36 Changes: -------- --- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes 2020-06-26 21:49:53.622686493 +0200 +++ /work/SRC/openSUSE:Factory/.tomcat.new.3592/tomcat.changes 2020-07-31 15:58:46.356448400 +0200 @@ -1,0 +2,10 @@ +Wed Jul 29 20:48:14 UTC 2020 - Matei Albu <malbu@suse.com> + +- Don't give write permissions for the tomcat group on files and + directories where it's not needed (bsc#1172562) +- Change tomcat.pid location from /var/run to /run (bsc#1173103) +- Use the /sbin/nologin shell when creating the tomcat user +- Use %tmpfiles_create macro in %post instead of calling + systemd-tmpfiles directly + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tomcat.spec ++++++ --- /var/tmp/diff_new_pack.S1CdEq/_old 2020-07-31 15:58:54.180451087 +0200 +++ /var/tmp/diff_new_pack.S1CdEq/_new 2020-07-31 15:58:54.184451091 +0200 @@ -335,7 +335,6 @@ install -d -m 0755 %{buildroot}%{_sbindir} install -d -m 0755 %{buildroot}%{_javadocdir}/%{name} install -d -m 0755 %{buildroot}%{_initddir} -install -d -m 0755 %{buildroot}%{_systemddir} install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig install -d -m 0755 %{buildroot}%{appdir} @@ -343,7 +342,7 @@ install -d -m 0755 %{buildroot}%{bindir} install -d -m 0775 %{buildroot}%{confdir} install -d -m 0755 %{buildroot}%{cachedir}/Catalina/localhost -install -d -m 0775 %{buildroot}%{confdir}/conf.d +install -d -m 0755 %{buildroot}%{confdir}/conf.d /bin/echo "Place your custom *.conf files here. Shell expansion is supported." > %{buildroot}%{confdir}/conf.d/README install -d -m 0755 %{buildroot}%{libdir} install -d -m 0775 %{buildroot}%{logdir} @@ -575,7 +574,7 @@ mkdir -p %{buildroot}%{_tmpfilesdir} cat > %{buildroot}%{_tmpfilesdir}/%{name}.conf <<EOF -f %{_localstatedir}/run/%{name}.pid 0644 tomcat tomcat - +f /run/%{name}.pid 0644 tomcat tomcat - EOF # Install tool used to edit server.xml @@ -589,13 +588,14 @@ # add the tomcat user and group %{_sbindir}/groupadd -r tomcat 2>/dev/null || : %{_sbindir}/useradd -c "Apache Tomcat" -g tomcat \ - -s /bin/sh -r -d %{homedir} tomcat 2>/dev/null || : + -s /sbin/nologin -r -d %{homedir} tomcat 2>/dev/null || : %service_add_pre %{name}.service %post %service_add_post %{name}.service +%service_add_post %{name}@.service %{fillup_only %{name}} -%{_bindir}/systemd-tmpfiles --create >/dev/null 2>&1 || : +%tmpfiles_create %_tmpfilesdir/%{name}.conf %preun %service_del_preun %{name}.service @@ -684,7 +684,7 @@ fi %files -%defattr(0664,root,tomcat,0755) +%defattr(-,root,root) %doc {LICENSE,NOTICE,RELEASE*} %attr(0755,root,root) %{_bindir}/%{name}-digest %attr(0755,root,root) %{_bindir}/%{name}-tool-wrapper @@ -704,41 +704,43 @@ %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/logrotate.d/%{name} %attr(0755,root,tomcat) %dir %{basedir} %attr(0755,root,tomcat) %dir %{confdir} -%defattr(0664,tomcat,root,0770) %attr(0775,root,tomcat) %dir %{appdir} -%attr(0770,tomcat,root) %{logdir} +%attr(0770,tomcat,root) %dir %{logdir} %attr(0660,tomcat,tomcat) %{logdir}/catalina.out -%attr(0770,root,tomcat) %{cachedir} -%defattr(0664,root,tomcat,0770) +%attr(0770,root,tomcat) %dir %{cachedir} +%attr(0775,root,tomcat) %dir %{cachedir}/Catalina + +# tomcat group writtable dirs - bnc#625415 %attr(0770,root,tomcat) %dir %{tempdir} %attr(0770,root,tomcat) %dir %{workdir} %attr(0775,root,tomcat) %dir %{tomcatappdir} -# tomcat group writtable dirs - bnc#625415 -%defattr(0664,root,tomcat,0775) + %{confdir}/Catalina -%attr(0775,root,tomcat) %dir %{confdir}/conf.d -%attr(0664,tomcat,tomcat) %{confdir}/conf.d/README -%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/%{name}.conf -%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/*.policy -%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/*.properties -%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/context.xml -%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/server.xml -%attr(0660,tomcat,tomcat) %config(noreplace) %{confdir}/tomcat-users.xml -%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/web.xml -%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/jaspic-providers.xml -%dir %{homedir} -%{_tmpfilesdir}/%{name}.conf -%{bindir}/bootstrap.jar -%{bindir}/catalina-tasks.xml +%attr(0755,root,tomcat) %dir %{confdir}/conf.d +%attr(0644,root,tomcat) %{confdir}/conf.d/README +%attr(0644,root,tomcat) %config(noreplace) %{confdir}/%{name}.conf +%attr(0644,root,tomcat) %config(noreplace) %{confdir}/*.policy +%attr(0644,root,tomcat) %config(noreplace) %{confdir}/*.properties +%attr(0644,root,tomcat) %config(noreplace) %{confdir}/context.xml +%attr(0644,root,tomcat) %config(noreplace) %{confdir}/server.xml +# keep tomcat-users.xml readable only by root and tomcat group +%attr(0640,root,tomcat) %config(noreplace) %{confdir}/tomcat-users.xml +%attr(0644,root,tomcat) %config(noreplace) %{confdir}/web.xml +%attr(0644,root,tomcat) %config(noreplace) %{confdir}/jaspic-providers.xml +%attr(0755,root,tomcat) %dir %{homedir} +%attr(0644,root,tomcat) %{_tmpfilesdir}/%{name}.conf +%attr(0644,root,tomcat) %{bindir}/bootstrap.jar +%attr(0644,root,tomcat) %{bindir}/catalina-tasks.xml %{homedir}/lib %{homedir}/temp %{homedir}/webapps %{homedir}/work %{homedir}/logs %{homedir}/conf -%{_fillupdir}/sysconfig.%{name} +%attr(0644,root,tomcat) %{_fillupdir}/sysconfig.%{name} %files admin-webapps +%defattr(0644,root,tomcat,0755) %{tomcatappdir}/host-manager %config(noreplace) %{tomcatappdir}/host-manager/META-INF/context.xml %{tomcatappdir}/manager @@ -786,6 +788,7 @@ %ghost %{_sysconfdir}/alternatives/servlet %files webapps +%defattr(0644,tomcat,tomcat,0755) #bnc#520532 %config(noreplace) %{tomcatappdir}/ROOT %{tomcatappdir}/examples ++++++ tomcat-9.0.init ++++++ --- /var/tmp/diff_new_pack.S1CdEq/_old 2020-07-31 15:58:54.296451197 +0200 +++ /var/tmp/diff_new_pack.S1CdEq/_new 2020-07-31 15:58:54.300451201 +0200 @@ -77,7 +77,7 @@ # Define the tomcat log file TOMCAT_LOG="${TOMCAT_LOG:-${CATALINA_HOME}/logs/${NAME}-initd.log}" # Define the tomcat pid file -export CATALINA_PID="/var/run/${NAME}.pid" +export CATALINA_PID="/run/${NAME}.pid" RETVAL="0" @@ -193,8 +193,8 @@ function start() { echo -n "Starting Tomcat ($CATALINA_BASE)" if [ -f "/var/run/rc${NAME}" ] ; then - if [ -f "/var/run/${NAME}.pid" ]; then - read kpid < /var/run/${NAME}.pid + if [ -f "/run/${NAME}.pid" ]; then + read kpid < /run/${NAME}.pid if checkpid $kpid 2>&1; then echo "$NAME process already running" rc_failed 0 @@ -205,7 +205,7 @@ fi fi # fix permissions on the log and pid files - export CATALINA_PID="/var/run/${NAME}.pid" + export CATALINA_PID="/run/${NAME}.pid" touch $CATALINA_PID chown --no-dereference ${TOMCAT_USER}:${TOMCAT_USER} $CATALINA_PID touch $TOMCAT_LOG @@ -249,8 +249,8 @@ # NOTE: checkproc returns LSB compliant status values. function status() { echo -n "Checking for Tomcat ($CATALINA_BASE)" - if [ -f "/var/run/${NAME}.pid" ]; then - read kpid < /var/run/${NAME}.pid + if [ -f "/run/${NAME}.pid" ]; then + read kpid < /run/${NAME}.pid if checkpid $kpid 2>&1; then rc_failed 0 else @@ -278,8 +278,8 @@ RETVAL="$?" if [ "$RETVAL" -eq "0" ]; then count="0" - if [ -f "/var/run/${NAME}.pid" ]; then - read kpid < /var/run/${NAME}.pid + if [ -f "/run/${NAME}.pid" ]; then + read kpid < /run/${NAME}.pid until [ "$(ps --pid $kpid | grep -c $kpid)" -eq "0" ] || \ [ "$count" -gt "$SHUTDOWN_WAIT" ]; do if [ "$SHUTDOWN_VERBOSE" = "true" ]; then @@ -301,7 +301,7 @@ echo -n -e "\n" fi fi - rm -f /var/run/rc${NAME} /var/run/${NAME}.pid + rm -f /var/run/rc${NAME} /run/${NAME}.pid if [ "${CLEAR_WORK}" = "true" ]; then echo -n "Cleaning work directory: " find ${CATALINA_HOME}/work/{Catalina,temp} -mindepth 2 -type d -print0 | xargs -0 rm -rf @@ -350,7 +350,7 @@ echo -n "Reload service Tomcat ($CATALINA_BASE)" ## if it supports it: #killproc -HUP $TOMCAT_BIN - #touch /var/run/FOO.pid + #touch /run/FOO.pid #rc_status -v ## Otherwise: @@ -364,7 +364,7 @@ # If it supports signalling: #echo -n "Reload service FOO" #killproc -HUP $TOMCAT_BIN - #touch /var/run/FOO.pid + #touch /run/FOO.pid #rc_status -v ## Otherwise if it does not support reload: