[tomcat6/f13/master] Resolving many fedora rhbzs - CVE-2010-2227, directory premissions, tomcat user shell, commons-xxx-t

Dave Knox dknox at fedoraproject.org
Tue Oct 12 20:37:05 UTC 2010 

commit 7548072a46603326f9fbbcf9a17ef0f99be86d01
Author: david knox <dknox at 78-97-42-72.skybeam.com>
Date:   Tue Oct 12 14:33:32 2010 -0600

    Resolving many fedora rhbzs - CVE-2010-2227, directory premissions, tomcat user shell, commons-xxx-tomcat5 removed from the build.

 tomcat6-6.0.init |    4 ++--
 tomcat6.spec     |   52 ++++++++++++++++++++++++++++++++--------------------
 2 files changed, 34 insertions(+), 22 deletions(-)
---
diff --git a/tomcat6-6.0.init b/tomcat6-6.0.init
index e4e9517..4123f1c 100644
--- a/tomcat6-6.0.init
+++ b/tomcat6-6.0.init
@@ -38,9 +38,9 @@ fi
 
 # For SELinux we need to use 'runuser' not 'su'
 if [ -x "/sbin/runuser" ]; then
-    SU="/sbin/runuser"
+    SU="/sbin/runuser -s /bin/sh"
 else
-    SU="/bin/su"
+    SU="/bin/su -s /bin/sh"
 fi
 
 # Get the tomcat config (use this for environment specific settings)
diff --git a/tomcat6.spec b/tomcat6.spec
index 516ac85..f461132 100644
--- a/tomcat6.spec
+++ b/tomcat6.spec
@@ -55,7 +55,7 @@
 Name: tomcat6
 Epoch: 0
 Version: %{major_version}.%{minor_version}.%{micro_version}
-Release: 10%{?dist}
+Release: 11%{?dist}
 Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 Group: Networking/Daemons
@@ -82,10 +82,12 @@ BuildRequires: ant-trax
 BuildRequires: ecj
 BuildRequires: findutils
 BuildRequires: jakarta-commons-collections
-BuildRequires: jakarta-commons-collections-tomcat5
+#BuildRequires: jakarta-commons-collections-tomcat5
 BuildRequires: jakarta-commons-daemon
-BuildRequires: jakarta-commons-dbcp-tomcat5
-BuildRequires: jakarta-commons-pool-tomcat5
+#BuildRequires: jakarta-commons-dbcp-tomcat5
+BuildRequires: jakarta-commons-dbcp
+#BuildRequires: jakarta-commons-pool-tomcat5
+BuildRequires: jakarta-commons-pool
 BuildRequires: jakarta-taglibs-standard
 BuildRequires: java-1.6.0-devel
 BuildRequires: jpackage-utils >= 0:1.7.0
@@ -167,9 +169,12 @@ Requires: %{name}-jsp-%{jspspec}-api = %{epoch}:%{version}-%{release}
 Requires: %{name}-servlet-%{servletspec}-api = %{epoch}:%{version}-%{release}
 Requires: %{name}-el-%{elspec}-api = %{epoch}:%{version}-%{release}
 Requires: ecj
-Requires: jakarta-commons-collections-tomcat5
-Requires: jakarta-commons-dbcp-tomcat5
-Requires: jakarta-commons-pool-tomcat5
+#Requires: jakarta-commons-collections-tomcat5
+#Requires: jakarta-commons-dbcp-tomcat5
+#Requires: jakarta-commons-pool-tomcat5
+Requires: jakarta-commons-collections
+Requires: jakarta-commons-dbcp
+Requires: jakarta-commons-pool
 Requires(preun): coreutils
 
 %description lib
@@ -231,12 +236,12 @@ pushd %{packdname}
    # who needs a build.properties file anyway
    %{ant} -Dbase.path="." \
       -Dbuild.compiler="modern" \
-      -Dcommons-collections.jar="$(build-classpath commons-collections)" \
-      -Dcommons-daemon.jar="$(build-classpath commons-daemon)" \
+      -Dcommons-collections.jar="$(build-classpath jakarta-commons-collections)" \
+      -Dcommons-daemon.jar="$(build-classpath jakarta-commons-daemon)" \
       -Dcommons-daemon.jsvc.tar.gz="HACK" \
       -Djasper-jdt.jar="$(build-classpath ecj)" \
       -Djdt.jar="$(build-classpath ecj)" \
-      -Dtomcat-dbcp.jar="HACK" \
+      -Dtomcat-dbcp.jar="$(build-classpath jakarta-commons-dbcp)" \
       -Dtomcat-native.tar.gz="HACK" \
       -Dversion="%{version}" \
       -Dversion.build="%{micro_version}"
@@ -245,12 +250,11 @@ pushd %{packdname}
    %{ant} -f dist.xml dist-source
    %{ant} -f dist.xml dist-javadoc
     # remove some jars that we'll replace with symlinks later
-   %{__rm} output/build/bin/commons-daemon.jar \
-      output/build/lib/ecj.jar
+   %{__rm} output/build/bin/jakarta-commons-daemon.jar \
+      output/build/lib/ecj.jar output/build/lib/jakarta-commons-dbcp.jar
     # remove the cruft we created
    %{__rm} output/build/bin/HACK \
-      output/build/bin/tomcat-native.tar.gz \
-      output/build/lib/HACK
+      output/build/bin/tomcat-native.tar.gz
 popd
 pushd %{packdname}/output/dist/src/webapps/docs/appdev/sample/src
 %{__mkdir_p} ../web/WEB-INF/classes
@@ -284,6 +288,7 @@ zip -u %{packdname}/output/build/lib/jsp-api.jar META-INF/MANIFEST.MF
 %{__install} -d -m 0775 ${RPM_BUILD_ROOT}%{confdir}/Catalina/localhost
 %{__install} -d -m 0755 ${RPM_BUILD_ROOT}%{libdir}
 %{__install} -d -m 0775 ${RPM_BUILD_ROOT}%{logdir}
+touch ${RPM_BUILD_ROOT}%{logdir}/catalina.out
 %{__install} -d -m 0775 ${RPM_BUILD_ROOT}%{homedir}
 %{__install} -d -m 0775 ${RPM_BUILD_ROOT}%{tempdir}
 %{__install} -d -m 0775 ${RPM_BUILD_ROOT}%{workdir}
@@ -338,8 +343,8 @@ pushd ${RPM_BUILD_ROOT}%{_javadir}
 popd
 
 pushd %{packdname}/output/build
-   %{_bindir}/build-jar-repository lib commons-collections-tomcat5 \
-    commons-dbcp-tomcat5 commons-pool-tomcat5 ecj 2>&1
+   %{_bindir}/build-jar-repository lib jakarta-commons-collections \
+    jakarta-commons-dbcp jakarta-commons-pool ecj 2>&1
 # need to use -p here with b-j-r otherwise the examples webapp fails to
 # load with a java.io.IOException
    %{_bindir}/build-jar-repository -p webapps/examples/WEB-INF/lib \
@@ -357,11 +362,11 @@ pushd ${RPM_BUILD_ROOT}%{libdir}
     %{__ln_s} ../%{name}-jsp-%{jspspec}-api-%{version}.jar .
     %{__ln_s} ../%{name}-servlet-%{servletspec}-api-%{version}.jar .
     %{__ln_s} ../%{name}-el-%{elspec}-api-%{version}.jar
-    %{__cp} -p $(build-classpath commons-collections-tomcat5) .
+    %{__cp} -p $(build-classpath jakarta-commons-collections) .
     %{__cp} -p $(build-classpath log4j) .
     %{__ln_s} log4j log4j-%{version}.jar
-    %{__ln_s} $(build-classpath commons-dbcp-tomcat5) .
-    %{__ln_s} $(build-classpath commons-pool-tomcat5) .
+    %{__ln_s} $(build-classpath jakarta-commons-dbcp) .
+    %{__ln_s} $(build-classpath jakarta-commons-pool) .
     %{__ln_s} $(build-classpath ecj) jasper-jdt.jar
 popd
 pushd ${RPM_BUILD_ROOT}%{bindir}
@@ -437,7 +442,7 @@ done
 # add the tomcat user and group
 %{_sbindir}/groupadd -g %{tcuid} -r tomcat 2>/dev/null || :
 %{_sbindir}/useradd -c "Apache Tomcat" -u %{tcuid} -g tomcat \
-    -s /bin/sh -r -d %{homedir} tomcat 2>/dev/null || :
+    -s /sbin/nologin -r -d %{homedir} tomcat 2>/dev/null || :
 
 %post
 # install but don't activate
@@ -520,6 +525,8 @@ fi
 %attr(0765,root,tomcat) %dir %{appdir}
 %attr(0765,root,tomcat) %dir %{confdir}
 %attr(0765,root,tomcat) %dir %{confdir}/Catalina
+%attr(0765,root,tomcat) %dir %{logdir}
+%attr(0765,root,tomcat) %{logdir}/catalina.out
 #%dir %{confdir}
 #%dir %{confdir}/Catalina
 %attr(0765,root,tomcat) %dir %{confdir}/Catalina/localhost
@@ -599,6 +606,11 @@ fi
 %{appdir}/sample
 
 %changelog
+* Tue Oct 12 2010 David Knox <dknox at redhat.com> 0:6.0.26-11
+- resolving rhbzs for directory permissions. Change BR and R
+- for commons packages: no more commons-x-tomcat5. Fix tomcat
+- user shell.
+
 * Mon Oct 04 2010 David Knox <dknox at redhat.com> 0:6.0.26-10
 - ant-nodeps is breaking the build. Put ant-nodeps on the 
 - OPT_JAR_LIST

More information about the scm-commits mailing list