[tomcat6/f13/master] Resolving many fedora rhbzs - CVE-2010-2227, directory premissions, tomcat user shell, commons-xxx-t
Dave Knox
dknox at fedoraproject.org
Tue Oct 12 20:37:05 UTC 2010
commit 7548072a46603326f9fbbcf9a17ef0f99be86d01
Author: david knox <dknox at 78-97-42-72.skybeam.com>
Date: Tue Oct 12 14:33:32 2010 -0600
Resolving many fedora rhbzs - CVE-2010-2227, directory premissions, tomcat user shell, commons-xxx-tomcat5 removed from the build.
tomcat6-6.0.init | 4 ++--
tomcat6.spec | 52 ++++++++++++++++++++++++++++++++--------------------
2 files changed, 34 insertions(+), 22 deletions(-)
---
diff --git a/tomcat6-6.0.init b/tomcat6-6.0.init
index e4e9517..4123f1c 100644
--- a/tomcat6-6.0.init
+++ b/tomcat6-6.0.init
@@ -38,9 +38,9 @@ fi
# For SELinux we need to use 'runuser' not 'su'
if [ -x "/sbin/runuser" ]; then
- SU="/sbin/runuser"
+ SU="/sbin/runuser -s /bin/sh"
else
- SU="/bin/su"
+ SU="/bin/su -s /bin/sh"
fi
# Get the tomcat config (use this for environment specific settings)
diff --git a/tomcat6.spec b/tomcat6.spec
index 516ac85..f461132 100644
--- a/tomcat6.spec
+++ b/tomcat6.spec
@@ -55,7 +55,7 @@
Name: tomcat6
Epoch: 0
Version: %{major_version}.%{minor_version}.%{micro_version}
-Release: 10%{?dist}
+Release: 11%{?dist}
Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
Group: Networking/Daemons
@@ -82,10 +82,12 @@ BuildRequires: ant-trax
BuildRequires: ecj
BuildRequires: findutils
BuildRequires: jakarta-commons-collections
-BuildRequires: jakarta-commons-collections-tomcat5
+#BuildRequires: jakarta-commons-collections-tomcat5
BuildRequires: jakarta-commons-daemon
-BuildRequires: jakarta-commons-dbcp-tomcat5
-BuildRequires: jakarta-commons-pool-tomcat5
+#BuildRequires: jakarta-commons-dbcp-tomcat5
+BuildRequires: jakarta-commons-dbcp
+#BuildRequires: jakarta-commons-pool-tomcat5
+BuildRequires: jakarta-commons-pool
BuildRequires: jakarta-taglibs-standard
BuildRequires: java-1.6.0-devel
BuildRequires: jpackage-utils >= 0:1.7.0
@@ -167,9 +169,12 @@ Requires: %{name}-jsp-%{jspspec}-api = %{epoch}:%{version}-%{release}
Requires: %{name}-servlet-%{servletspec}-api = %{epoch}:%{version}-%{release}
Requires: %{name}-el-%{elspec}-api = %{epoch}:%{version}-%{release}
Requires: ecj
-Requires: jakarta-commons-collections-tomcat5
-Requires: jakarta-commons-dbcp-tomcat5
-Requires: jakarta-commons-pool-tomcat5
+#Requires: jakarta-commons-collections-tomcat5
+#Requires: jakarta-commons-dbcp-tomcat5
+#Requires: jakarta-commons-pool-tomcat5
+Requires: jakarta-commons-collections
+Requires: jakarta-commons-dbcp
+Requires: jakarta-commons-pool
Requires(preun): coreutils
%description lib
@@ -231,12 +236,12 @@ pushd %{packdname}
# who needs a build.properties file anyway
%{ant} -Dbase.path="." \
-Dbuild.compiler="modern" \
- -Dcommons-collections.jar="$(build-classpath commons-collections)" \
- -Dcommons-daemon.jar="$(build-classpath commons-daemon)" \
+ -Dcommons-collections.jar="$(build-classpath jakarta-commons-collections)" \
+ -Dcommons-daemon.jar="$(build-classpath jakarta-commons-daemon)" \
-Dcommons-daemon.jsvc.tar.gz="HACK" \
-Djasper-jdt.jar="$(build-classpath ecj)" \
-Djdt.jar="$(build-classpath ecj)" \
- -Dtomcat-dbcp.jar="HACK" \
+ -Dtomcat-dbcp.jar="$(build-classpath jakarta-commons-dbcp)" \
-Dtomcat-native.tar.gz="HACK" \
-Dversion="%{version}" \
-Dversion.build="%{micro_version}"
@@ -245,12 +250,11 @@ pushd %{packdname}
%{ant} -f dist.xml dist-source
%{ant} -f dist.xml dist-javadoc
# remove some jars that we'll replace with symlinks later
- %{__rm} output/build/bin/commons-daemon.jar \
- output/build/lib/ecj.jar
+ %{__rm} output/build/bin/jakarta-commons-daemon.jar \
+ output/build/lib/ecj.jar output/build/lib/jakarta-commons-dbcp.jar
# remove the cruft we created
%{__rm} output/build/bin/HACK \
- output/build/bin/tomcat-native.tar.gz \
- output/build/lib/HACK
+ output/build/bin/tomcat-native.tar.gz
popd
pushd %{packdname}/output/dist/src/webapps/docs/appdev/sample/src
%{__mkdir_p} ../web/WEB-INF/classes
@@ -284,6 +288,7 @@ zip -u %{packdname}/output/build/lib/jsp-api.jar META-INF/MANIFEST.MF
%{__install} -d -m 0775 ${RPM_BUILD_ROOT}%{confdir}/Catalina/localhost
%{__install} -d -m 0755 ${RPM_BUILD_ROOT}%{libdir}
%{__install} -d -m 0775 ${RPM_BUILD_ROOT}%{logdir}
+touch ${RPM_BUILD_ROOT}%{logdir}/catalina.out
%{__install} -d -m 0775 ${RPM_BUILD_ROOT}%{homedir}
%{__install} -d -m 0775 ${RPM_BUILD_ROOT}%{tempdir}
%{__install} -d -m 0775 ${RPM_BUILD_ROOT}%{workdir}
@@ -338,8 +343,8 @@ pushd ${RPM_BUILD_ROOT}%{_javadir}
popd
pushd %{packdname}/output/build
- %{_bindir}/build-jar-repository lib commons-collections-tomcat5 \
- commons-dbcp-tomcat5 commons-pool-tomcat5 ecj 2>&1
+ %{_bindir}/build-jar-repository lib jakarta-commons-collections \
+ jakarta-commons-dbcp jakarta-commons-pool ecj 2>&1
# need to use -p here with b-j-r otherwise the examples webapp fails to
# load with a java.io.IOException
%{_bindir}/build-jar-repository -p webapps/examples/WEB-INF/lib \
@@ -357,11 +362,11 @@ pushd ${RPM_BUILD_ROOT}%{libdir}
%{__ln_s} ../%{name}-jsp-%{jspspec}-api-%{version}.jar .
%{__ln_s} ../%{name}-servlet-%{servletspec}-api-%{version}.jar .
%{__ln_s} ../%{name}-el-%{elspec}-api-%{version}.jar
- %{__cp} -p $(build-classpath commons-collections-tomcat5) .
+ %{__cp} -p $(build-classpath jakarta-commons-collections) .
%{__cp} -p $(build-classpath log4j) .
%{__ln_s} log4j log4j-%{version}.jar
- %{__ln_s} $(build-classpath commons-dbcp-tomcat5) .
- %{__ln_s} $(build-classpath commons-pool-tomcat5) .
+ %{__ln_s} $(build-classpath jakarta-commons-dbcp) .
+ %{__ln_s} $(build-classpath jakarta-commons-pool) .
%{__ln_s} $(build-classpath ecj) jasper-jdt.jar
popd
pushd ${RPM_BUILD_ROOT}%{bindir}
@@ -437,7 +442,7 @@ done
# add the tomcat user and group
%{_sbindir}/groupadd -g %{tcuid} -r tomcat 2>/dev/null || :
%{_sbindir}/useradd -c "Apache Tomcat" -u %{tcuid} -g tomcat \
- -s /bin/sh -r -d %{homedir} tomcat 2>/dev/null || :
+ -s /sbin/nologin -r -d %{homedir} tomcat 2>/dev/null || :
%post
# install but don't activate
@@ -520,6 +525,8 @@ fi
%attr(0765,root,tomcat) %dir %{appdir}
%attr(0765,root,tomcat) %dir %{confdir}
%attr(0765,root,tomcat) %dir %{confdir}/Catalina
+%attr(0765,root,tomcat) %dir %{logdir}
+%attr(0765,root,tomcat) %{logdir}/catalina.out
#%dir %{confdir}
#%dir %{confdir}/Catalina
%attr(0765,root,tomcat) %dir %{confdir}/Catalina/localhost
@@ -599,6 +606,11 @@ fi
%{appdir}/sample
%changelog
+* Tue Oct 12 2010 David Knox <dknox at redhat.com> 0:6.0.26-11
+- resolving rhbzs for directory permissions. Change BR and R
+- for commons packages: no more commons-x-tomcat5. Fix tomcat
+- user shell.
+
* Mon Oct 04 2010 David Knox <dknox at redhat.com> 0:6.0.26-10
- ant-nodeps is breaking the build. Put ant-nodeps on the
- OPT_JAR_LIST
More information about the scm-commits
mailing list