You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by GOMEZ Henri <hg...@slib.fr> on 2001/10/24 17:12:31 UTC

[ANNOUNCEMENT] Tomcat 3.3 RPM Fixed

A little problem was discovered by Nicolas Mailhot,
in the tomcat 3.3, java part, with an incorrect tomcat 
init script which wasn't used the new 'nobody' work mode.
Now tomcat run as nobody by default for security purposes.

The RPM has been updated to -2 release and the old one
removed :

http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.3/rpms/

tomcat-3.3-2.src.rpm
tomcat-3.3-2.noarch.rpm
tomcat-webapps-3.3-2.noarch.rpm
tomcat-manual-3.3-2.noarch.rpm                                 

For those of you who has allready installed the tomcat and want
to let it in place (for example in production system), the fix 
is easy.

Replace the init script (/etc/rc.d/init.d/tomcat) by the one attached 
and make the /var/spool/tomcat and /var/log/tomcat dirs must be owned 
by nobody/nobody:

chown -R nobody:nobody /var/log/tomcat
chown -R nobody:nobody /var/spool/tomcat

Sorry for the disturbance and a big thanks to Nicolas for his quick
discovery and report.

-
Henri Gomez                 ___[_]____
EMAIL : hgomez@slib.fr        (. .)                     
PGP KEY : 697ECEDD    ...oOOo..(_)..oOOo...
PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6

Re: [ANNOUNCEMENT] Tomcat 3.3 RPM Fixed

Posted by Pier Fumagalli <pi...@betaversion.org>.

GOMEZ Henri at hgomez@slib.fr wrote:

> A little problem was discovered by Nicolas Mailhot,
> in the tomcat 3.3, java part, with an incorrect tomcat
> init script which wasn't used the new 'nobody' work mode.
> Now tomcat run as nobody by default for security purposes.
> 
> The RPM has been updated to -2 release and the old one
> removed :
> 
> http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.3/rpms/
> 
> tomcat-3.3-2.src.rpm
> tomcat-3.3-2.noarch.rpm
> tomcat-webapps-3.3-2.noarch.rpm
> tomcat-manual-3.3-2.noarch.rpm
> 
> For those of you who has allready installed the tomcat and want
> to let it in place (for example in production system), the fix
> is easy.
> 
> Replace the init script (/etc/rc.d/init.d/tomcat) by the one attached
> and make the /var/spool/tomcat and /var/log/tomcat dirs must be owned
> by nobody/nobody:
> 
> chown -R nobody:nobody /var/log/tomcat
> chown -R nobody:nobody /var/spool/tomcat
> 
> Sorry for the disturbance and a big thanks to Nicolas for his quick
> discovery and report.

Would be worth to move the 3.3-1 in an "bad" directory...

    Pier