You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/07/08 14:45:30 UTC
[tomcat] branch 7.0.x updated: Fix
https://bz.apache.org/bugzilla/show_bug.cgi?id=55969
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new f7c73a2 Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=55969
f7c73a2 is described below
commit f7c73a244f84681432e41b424c7d0f8e7c15f6f2
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Jul 8 15:41:59 2019 +0100
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=55969
Tighten security for the Windows installer.
Update to Daemon 1.2.0. This changes the default user from "Local
System" to "Local Service".
Disable the shutdown port by default (service doesn't use it).
Limit file permissions to local admins, "Local Service" and "Local
System".
---
build.properties.default | 14 +++++++-------
res/tomcat.nsi | 18 +++++++++++++++++-
webapps/docs/changelog.xml | 13 +++++++++++++
3 files changed, 37 insertions(+), 8 deletions(-)
diff --git a/build.properties.default b/build.properties.default
index 0df0638..4a30427 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -202,21 +202,21 @@ nsis.system.dll=${nsis.home}/Plugins/${nsis.arch.dir}System.dll
nsis.nsdialogs.dll=${nsis.home}/Plugins/${nsis.arch.dir}nsDialogs.dll
nsis.loc=${base-sf.loc}/nsis/nsis-${nsis.version}.zip
-# ----- Commons Daemon, version 1.1.0 or later -----
-commons-daemon.version=1.1.0
+# ----- Commons Daemon, version 1.2.0 or later -----
+commons-daemon.version=1.2.0
-# checksum for commons-daemon-1.1.0-bin.tar.gz
+# checksum for commons-daemon-1.2.0-bin.tar.gz
commons-daemon.bin.checksum.enabled=true
commons-daemon.bin.checksum.algorithm=SHA-512
-commons-daemon.bin.checksum.value=43c33e52e0be11e73370083500592ee9df0431c3166dbc7ed95794cabb462ac2a140e3eb4bbe2a0b99882bb93d9244ff534f13e4933c13e7a31a37e58e0c8e1d
+commons-daemon.bin.checksum.value=81fbbd1115d735232bbcc426d958bd8fe149c97bfe96df1549a19332afd4954f3f75c3a693f214bfef065931a1d79c528dfb2cefb1bb3628d211e1761814c23b
-# checksums for commons-daemon-1.1.0-native-src.tar.gz, commons-daemon-1.1.0-bin-windows.zip
+# checksums for commons-daemon-1.1.0-native-src.tar.gz, commons-daemon-1.2.0-bin-windows.zip
commons-daemon.native.src.checksum.enabled=true
commons-daemon.native.src.checksum.algorithm=SHA-512
-commons-daemon.native.src.checksum.value=3443f1c95a4b267c4387a9ac7c79315422a51e896c0bcea48fbe959bc301094770aa8065b2388a84760a3e07e5d1753c2b351336fb2d3a8c996ee14d32088f6e
+commons-daemon.native.src.checksum.value=c37f506b129b8a0efface6745dcc6d0d9d3e2663d28eca0df9903301f0b9b65fd8306e361935887fb459daf0a29da6fa63ea60f742ce4e497dc53a2a2d86db12
commons-daemon.native.win.checksum.enabled=true
commons-daemon.native.win.checksum.algorithm=SHA-512
-commons-daemon.native.win.checksum.value=10cda04d9a44286cb67107fdb9d20958013f075cad4accba048801f3677765c334dc16f6901e1d2e4a9df5a2c702797370de63393568df6fceb9e7902421f9ea
+commons-daemon.native.win.checksum.value=8b6e0bb4172861338e0cb3238f6da715c3cef04a88e8bfab0cbb487ef638aa69fd34de9407b0b2ed54451fbbcbff8a999324289052a581a5d07d6f6ff84a83b6
commons-daemon.home=${base.path}/commons-daemon-${commons-daemon.version}
commons-daemon.jar=${commons-daemon.home}/commons-daemon-${commons-daemon.version}.jar
diff --git a/res/tomcat.nsi b/res/tomcat.nsi
index fb15582..511c734 100644
--- a/res/tomcat.nsi
+++ b/res/tomcat.nsi
@@ -363,6 +363,22 @@ Section -post
WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Apache Tomcat @VERSION_MAJOR_MINOR@ $TomcatServiceName" \
"UninstallString" "$\"$INSTDIR\Uninstall.exe$\" -ServiceName=$\"$TomcatServiceName$\""
+ ; Configure file permissions
+ ; S-1-5-19 LocalService
+ ; S-1-5-32-544 Local Administrators group
+ ; S-1-5-18 Local System
+ nsExec::ExecToStack 'icacls "$INSTDIR" /inheritance:r /grant *S-1-5-19:(OI)(CI)(F) /grant *S-1-5-32-544:(OI)(CI)(F) /grant *S-1-5-18:(OI)(CI)(F)'
+ Pop $0
+ Pop $1
+ StrCmp $0 "0" SetPermissionsOk
+ FileWrite $ServiceInstallLog "Install failed (setting file permissions): $0 $1$\r$\n"
+ MessageBox MB_YESNO|MB_ICONSTOP \
+ "Failed to set file permisisons.$\r$\nCheck your settings and permissions.$\r$\nIgnore and continue anyway (not recommended)?" \
+ /SD IDNO IDYES SetPermissionsOk
+ Quit
+ SetPermissionsOk:
+ ClearErrors
+
SectionEnd
!define ReadFromConfigIni "!insertmacro ReadFromConfigIni"
@@ -411,7 +427,7 @@ Function .onInit
;Initialize default values
StrCpy $JavaHome ""
- StrCpy $TomcatPortShutdown "8005"
+ StrCpy $TomcatPortShutdown "-1"
StrCpy $TomcatPortHttp "8080"
StrCpy $TomcatPortAjp "8009"
StrCpy $TomcatMenuEntriesEnable "0"
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7792e1a..b2d9092 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -240,6 +240,19 @@
<update>
Update Checkstyle to version 8.22. (markt)
</update>
+ <update>
+ Update to Commons Daemon 1.2.0. This changes the user configured by the
+ Windows installer for the Windows service from <code>Local System</code>
+ to the lower privileged <code>Local Service</code>. (markt)
+ </update>
+ <fix>
+ <bug>55969</bug>: Tighten up the security of the Apache Tomcat
+ installation created by the Windows installer. Change the default
+ shutdown port used by the Windows installer from <code>8005</code> to
+ <code>-1</code> (disabled). Limit access to the chosen installation
+ directory to local administrators, Local System and Local Service.
+ (markt)
+ </fix>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org