You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Filip Hanik - Dev Lists <de...@hanik.com> on 2008/09/02 20:37:25 UTC

[VOTE] Release build 5.5.27

The candidates binaries are available here:
http://people.apache.org/~fhanik/tomcat/tomcat-5.5/v5.5.27/

According to the release process, the 5.5.27 tag is:
[ ] Broken
[ ] Alpha
[ ] Beta
[ ] Stable




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release build 5.5.27

Posted by Yoav Shapira <yo...@apache.org>.

On Wed, Sep 3, 2008 at 1:58 PM, Filip Hanik - Dev Lists
<de...@hanik.com> wrote:
> I wont stop this release, there are way too many important fixes.
> the only way this release wont happen, is if we don't get 3+ stable votes,
> then we do another release

You don't need 3 stable votes.  You need three votes from committers
period.  They could all be alpha, or all beta, or all stable.  We've
done plenty of alpha and beta releases before.

Yoav

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release build 5.5.27

Posted by Filip Hanik - Dev Lists <de...@hanik.com>.

I wont stop this release, there are way too many important fixes.
the only way this release wont happen, is if we don't get 3+ stable votes,
then we do another release

Filip

George Sexton wrote:
>
>
> William A. Rowe, Jr. wrote:
>> George Sexton wrote:
>>>
>>> I guess I'm not understanding how you use the term regression. 
>>> 5.5.25 for sure did not have this problem.
>>>
>>> 5.5.26 introduced it, and 5.5.27 has it.
>>>
>>> How do you mean regression?
>>
>> x.y.-1 was free of it and x.y.-0 demonstrated it.
>>
>> This is x.y.-2 is free of it, x.y.-1 demonstrated it, and x.y.-0 still
>> has it.  From the perspective of a release manager, this is no reason
>> to stop the release.  It's certainly a good idea to do *another* release
>> in the near future to address it, but not to keep the fixes between
>> 5.5.26 and 5.5.27 out of users' hands.
>
> I think using your definition, it is then a regression.
>
> For me this is a critical error. Tomcat 5.5.26 and 5.5.27 don't work 
> when run under the security manager.
>
> It's really not a trivial corner case. Did you look at my stack trace 
> from Saturday? Trying to open a socket in one part of my code 
> triggered the bug. The class loader is looking for a 
> logging.properties in context/WEB-INF/classes and it's bombing.
>
> I'm really not trying to be overly picky here, but if the whole 
> security manager functionality is broken, that's a pretty big thing. 
> The fact that it was broken in the last release, and will be broken in 
> the new release is even worse.
>
> From now until the NEXT release is created, people will be posting it 
> as a bug, which will then get marked RESOLVED, INVALID. They will then 
> re-open and wonder why it was closed. It will then be explained that 
> the fix is in CVS and that's why it was closed. The end user will then 
> want to know when the release with the fix will be present.
>
> Whatever. I've made my opinion known. If the release gets done with 
> the bug still in it, then I'm a big enough boy to apply the patch and 
> re-compile it so things work.
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release build 5.5.27

Posted by George Sexton <gs...@mhsoftware.com>.


Rainer Jung wrote:
> As far as I understand the issue, the solution is to use the correct 
> security manager profile. In catalina.policy there is already a comment 
> how to do that (search for "per context logging").
> 

Just to be perfectly clear. This bug means that tomcat will not work in 
security manager mode UNLESS per-context logging is configured in 
catalina.policy.


-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release build 5.5.27

Posted by George Sexton <gs...@mhsoftware.com>.

Rainer Jung wrote:
> George Sexton schrieb:
>> I will try a wild-card permission and see what happens.
> 
> Thank you. One caveat: I tried to end it the path with
> "${file.separator}-", but that doesn't work. When using the trailing "-"
> syntax, you really have to use a real file separator, not the variable :(
> 

Thanks for the tip. That probably would have driven me nuts.

I tried the wild card permission, and it does "solve" the problem. I had 
to give the permission to the top of my webapps directory. I did a quick 
audit of the code, and don't see anything that global read would be bad 
for.

If you modify catalina.policy to "solve" the problem, you're opening 
things up in the future for a security hole. Someone will add something 
to the jar that can do an arbitrary read and then bang, there's a major 
vulnerability staring at you.

 From a philosophical standpoint, having to create a policy log entry so 
the system doesn't throw an exception looking for a non-existent file is 
not desirable.

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release build 5.5.27

Posted by Rainer Jung <ra...@kippdata.de>.

George Sexton schrieb:
> I will try a wild-card permission and see what happens.

Thank you. One caveat: I tried to end it the path with
"${file.separator}-", but that doesn't work. When using the trailing "-"
syntax, you really have to use a real file separator, not the variable :(

> Rainer Jung wrote:
>> George Sexton schrieb:
>>> Rainer Jung wrote:
>>> I have 250+ virtual hosts per tomcat instance. It seems like a lot of
>>> overhead that I'm not interested in.
>>>
>>> How would I add the correct configuration to catalina.policy for 250
>>> virtual hosts/contexts into catalina.policy?
>>>
>>> It seems to me that I would have to either make many entries or make one
>>> generic entry that over-assigns permissions.
>>>
>>> Complicating matters, using the host manager, I deploy new virtual
>>> hosts/contexts on the fly while the servlet engine is running. Is there
>>> a mechanism for dynamically updating catalina.policy?
>>
>> How about adding something like
>>
>>    permission java.io.FilePermission
>>    "${catalina.base}${file.separator}webapps/-", "read";
>>
>> to the block starting with
>>
>>    grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar"
>>
>> The security manager should mainly protect you somehow against malicious
>>  webapp code. So giving those permissions to tomcat-juli doesn't seem to
>> be to big a problem. You can even narrow that down to giving it only to
>> the class org.apache.juli.ClassLoaderLogManager.
>>
>> I don't know how the file system layout of the webapps for all your
>> vhosts looks like, but wouldn't something like this be a good compromise
>> for 5.5.27?
>>
>> Regards,
>>
>> Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release build 5.5.27

Posted by George Sexton <gs...@mhsoftware.com>.

I will try a wild-card permission and see what happens.

Rainer Jung wrote:
> George Sexton schrieb:
>> Rainer Jung wrote:
>> I have 250+ virtual hosts per tomcat instance. It seems like a lot of
>> overhead that I'm not interested in.
>>
>> How would I add the correct configuration to catalina.policy for 250
>> virtual hosts/contexts into catalina.policy?
>>
>> It seems to me that I would have to either make many entries or make one
>> generic entry that over-assigns permissions.
>>
>> Complicating matters, using the host manager, I deploy new virtual
>> hosts/contexts on the fly while the servlet engine is running. Is there
>> a mechanism for dynamically updating catalina.policy?
> 
> How about adding something like
> 
>    permission java.io.FilePermission
>    "${catalina.base}${file.separator}webapps/-", "read";
> 
> to the block starting with
> 
>    grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar"
> 
> The security manager should mainly protect you somehow against malicious
>  webapp code. So giving those permissions to tomcat-juli doesn't seem to
> be to big a problem. You can even narrow that down to giving it only to
> the class org.apache.juli.ClassLoaderLogManager.
> 
> I don't know how the file system layout of the webapps for all your
> vhosts looks like, but wouldn't something like this be a good compromise
> for 5.5.27?
> 
> Regards,
> 
> Rainer
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release build 5.5.27

Posted by Rainer Jung <ra...@kippdata.de>.

George Sexton schrieb:
> Rainer Jung wrote:
> I have 250+ virtual hosts per tomcat instance. It seems like a lot of
> overhead that I'm not interested in.
> 
> How would I add the correct configuration to catalina.policy for 250
> virtual hosts/contexts into catalina.policy?
> 
> It seems to me that I would have to either make many entries or make one
> generic entry that over-assigns permissions.
> 
> Complicating matters, using the host manager, I deploy new virtual
> hosts/contexts on the fly while the servlet engine is running. Is there
> a mechanism for dynamically updating catalina.policy?

How about adding something like

   permission java.io.FilePermission
   "${catalina.base}${file.separator}webapps/-", "read";

to the block starting with

   grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar"

The security manager should mainly protect you somehow against malicious
 webapp code. So giving those permissions to tomcat-juli doesn't seem to
be to big a problem. You can even narrow that down to giving it only to
the class org.apache.juli.ClassLoaderLogManager.

I don't know how the file system layout of the webapps for all your
vhosts looks like, but wouldn't something like this be a good compromise
for 5.5.27?

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release build 5.5.27

Posted by George Sexton <gs...@mhsoftware.com>.

Rainer Jung wrote:
> As far as I understand the issue, the solution is to use the correct 
> security manager profile. In catalina.policy there is already a comment 
> how to do that (search for "per context logging").

I'm not doing per context logging and I don't want to. That's what I 
find terribly frustrating. Something I'm not trying to do is breaking my 
app.

I have 250+ virtual hosts per tomcat instance. It seems like a lot of 
overhead that I'm not interested in.

> 
> Even with Marks patch (or with his plus mine), there would still be the 
> problem of the container not able to read logging.properties from a 
> context without giving it permissions. 

Since I have no desire to do per-context logging, this doesn't bother me.

 > The only difference that the
> patch makes, is that it swallows the exception resp. logs it.
> 
> Can you shortly describe
> 
> - if adding the correct configuration to catalina.policy fixes your problem

How would I add the correct configuration to catalina.policy for 250 
virtual hosts/contexts into catalina.policy?

It seems to me that I would have to either make many entries or make one 
generic entry that over-assigns permissions.

Complicating matters, using the host manager, I deploy new virtual 
hosts/contexts on the fly while the servlet engine is running. Is there 
a mechanism for dynamically updating catalina.policy?

> 
> - why not having those lines breaks your application and this breakage 
> is not happening with the patch? Is it because the 
> AccessControlException is not caught?

Yes. The AccessControlException is not caught within Tomcat, and it 
terminates the execution of my servlet.

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release build 5.5.27

Posted by Rainer Jung <ra...@kippdata.de>.

George Sexton wrote:
> For me this is a critical error. Tomcat 5.5.26 and 5.5.27 don't work 
> when run under the security manager.
> 
> It's really not a trivial corner case. Did you look at my stack trace 
> from Saturday? Trying to open a socket in one part of my code triggered 
> the bug. The class loader is looking for a logging.properties in 
> context/WEB-INF/classes and it's bombing.
> 
> I'm really not trying to be overly picky here, but if the whole security 
> manager functionality is broken, that's a pretty big thing. The fact 
> that it was broken in the last release, and will be broken in the new 
> release is even worse.
> 
>  From now until the NEXT release is created, people will be posting it 
> as a bug, which will then get marked RESOLVED, INVALID. They will then 
> re-open and wonder why it was closed. It will then be explained that the 
> fix is in CVS and that's why it was closed. The end user will then want 
> to know when the release with the fix will be present.
> 
> Whatever. I've made my opinion known. If the release gets done with the 
> bug still in it, then I'm a big enough boy to apply the patch and 
> re-compile it so things work.

As far as I understand the issue, the solution is to use the correct 
security manager profile. In catalina.policy there is already a comment 
how to do that (search for "per context logging").

Even with Marks patch (or with his plus mine), there would still be the 
problem of the container not able to read logging.properties from a 
context without giving it permissions. The only difference that the 
patch makes, is that it swallows the exception resp. logs it.

Can you shortly describe

- if adding the correct configuration to catalina.policy fixes your problem

- why not having those lines breaks your application and this breakage 
is not happening with the patch? Is it because the 
AccessControlException is not caught?

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release build 5.5.27

Posted by George Sexton <gs...@mhsoftware.com>.

William A. Rowe, Jr. wrote:
> George Sexton wrote:
>>
>> I guess I'm not understanding how you use the term regression. 5.5.25 
>> for sure did not have this problem.
>>
>> 5.5.26 introduced it, and 5.5.27 has it.
>>
>> How do you mean regression?
> 
> x.y.-1 was free of it and x.y.-0 demonstrated it.
> 
> This is x.y.-2 is free of it, x.y.-1 demonstrated it, and x.y.-0 still
> has it.  From the perspective of a release manager, this is no reason
> to stop the release.  It's certainly a good idea to do *another* release
> in the near future to address it, but not to keep the fixes between
> 5.5.26 and 5.5.27 out of users' hands.

I think using your definition, it is then a regression.

For me this is a critical error. Tomcat 5.5.26 and 5.5.27 don't work 
when run under the security manager.

It's really not a trivial corner case. Did you look at my stack trace 
from Saturday? Trying to open a socket in one part of my code triggered 
the bug. The class loader is looking for a logging.properties in 
context/WEB-INF/classes and it's bombing.

I'm really not trying to be overly picky here, but if the whole security 
manager functionality is broken, that's a pretty big thing. The fact 
that it was broken in the last release, and will be broken in the new 
release is even worse.

 From now until the NEXT release is created, people will be posting it 
as a bug, which will then get marked RESOLVED, INVALID. They will then 
re-open and wonder why it was closed. It will then be explained that the 
fix is in CVS and that's why it was closed. The end user will then want 
to know when the release with the fix will be present.

Whatever. I've made my opinion known. If the release gets done with the 
bug still in it, then I'm a big enough boy to apply the patch and 
re-compile it so things work.

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release build 5.5.27

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

George Sexton wrote:
> 
> I guess I'm not understanding how you use the term regression. 5.5.25 
> for sure did not have this problem.
> 
> 5.5.26 introduced it, and 5.5.27 has it.
> 
> How do you mean regression?

x.y.-1 was free of it and x.y.-0 demonstrated it.

This is x.y.-2 is free of it, x.y.-1 demonstrated it, and x.y.-0 still
has it.  From the perspective of a release manager, this is no reason
to stop the release.  It's certainly a good idea to do *another* release
in the near future to address it, but not to keep the fixes between
5.5.26 and 5.5.27 out of users' hands.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release build 5.5.27

Posted by George Sexton <gs...@mhsoftware.com>.


David Rees wrote:
> On Tue, Sep 2, 2008 at 12:01 PM, George Sexton <gs...@mhsoftware.com> wrote:
>> To have a build that breaks an application because the container is
>> violating security policy looking for a non-existent file is just not
>> acceptable.
>>
>> In order for me to use this build I would have to install the patch, and
>> recompile to have a working installation. This is what I'm doing right now
>> to run 5.5.26.
> 
> I'm not a committer (or voter) either, but IMO, because this is not a
> regression, it should not hold up the release, especially because the
> release contains other potentially serious security fixes.
> 
> If this were a regression, I would agree with you.

I guess I'm not understanding how you use the term regression. 5.5.25 
for sure did not have this problem.

5.5.26 introduced it, and 5.5.27 has it.

How do you mean regression?

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release build 5.5.27

Posted by David Rees <dr...@gmail.com>.

On Tue, Sep 2, 2008 at 12:01 PM, George Sexton <gs...@mhsoftware.com> wrote:
> To have a build that breaks an application because the container is
> violating security policy looking for a non-existent file is just not
> acceptable.
>
> In order for me to use this build I would have to install the patch, and
> recompile to have a working installation. This is what I'm doing right now
> to run 5.5.26.

I'm not a committer (or voter) either, but IMO, because this is not a
regression, it should not hold up the release, especially because the
release contains other potentially serious security fixes.

If this were a regression, I would agree with you.

5.5.27 should be shipped as is with the security fixes, and then have
the security patch reviewed and applied which fixes the security issue
so that it's ready for the next release.

I've been testing 5.5.27 internally using my applications and have not
noticed any issues with it.

-Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release build 5.5.27

Posted by George Sexton <gs...@mhsoftware.com>.

Filip,

I know I don't count, but since the build is broken when running the 
security manager I would have to say

 > [x] Broken

To have a build that breaks an application because the container is 
violating security policy looking for a non-existent file is just not 
acceptable.

In order for me to use this build I would have to install the patch, and 
recompile to have a working installation. This is what I'm doing right 
now to run 5.5.26.


Filip Hanik - Dev Lists wrote:
> The candidates binaries are available here:
> http://people.apache.org/~fhanik/tomcat/tomcat-5.5/v5.5.27/
> 
> According to the release process, the 5.5.27 tag is:
> [ ] Broken
> [ ] Alpha
> [ ] Beta
> [ ] Stable
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release build 5.5.27

Posted by Yoav Shapira <yo...@yoavshapira.com>.

On Tue, Sep 2, 2008 at 2:37 PM, Filip Hanik - Dev Lists
<de...@hanik.com> wrote:
> The candidates binaries are available here:
> http://people.apache.org/~fhanik/tomcat/tomcat-5.5/v5.5.27/
>
> According to the release process, the 5.5.27 tag is:
> [ ] Broken
> [ ] Alpha
> [ X ] Beta
> [ ] Stable

Beta because of the bug George mentioned.

Gotta keep releasing, but can't call it stable because of this bug.
The release announcement should mention it.

Yoav

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release build 5.5.27

Posted by Rainer Jung <ra...@kippdata.de>.

Filip Hanik - Dev Lists wrote:
> The candidates binaries are available here:
> http://people.apache.org/~fhanik/tomcat/tomcat-5.5/v5.5.27/
> 
> According to the release process, the 5.5.27 tag is:
> [ ] Broken
> [ ] Alpha
> [ ] Beta
> [X] Stable

Even considering the discussion about the startup problems when the 
security manager and the default policy are used, I think 5.5.27 is stable.

I opened up BZ 45737 to make the configuration workaround available to 
the general user audience. A patch is in trunk and the backport proposal 
has been added to the STATUS files.

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release build 5.5.27

Posted by Jim Jagielski <ji...@jaguNET.com>.

On Sep 2, 2008, at 2:37 PM, Filip Hanik - Dev Lists wrote:

> The candidates binaries are available here:
> http://people.apache.org/~fhanik/tomcat/tomcat-5.5/v5.5.27/
>
> According to the release process, the 5.5.27 tag is:
> [ ] Broken
> [ ] Alpha
> [ ] Beta
> [X] Stable



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org