Gentoo Logo

Tomcat: Insecure installation


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200408-15 / tomcat
Release Date August 15, 2004
Latest Revision May 22, 2006: 04
Impact normal
Exploitable local
Package Vulnerable versions Unaffected versions Architecture(s)
www-servers/tomcat < 5.0.27-r3 >= 5.0.27-r3, revision >= 4.1.30-r4, revision >= 3.3.2-r2 All supported architectures

Related bugreports: #59232


Improper file ownership may allow a member of the tomcat group to execute scripts as root.

2.  Impact Information


Tomcat is the Apache Jakarta Project's official implementation of Java Servlets and Java Server Pages.


The Gentoo ebuild for Tomcat sets the ownership of the Tomcat init scripts as tomcat:tomcat, but those scripts are executed with root privileges when the system is started. This may allow a member of the tomcat group to run arbitrary code with root privileges when the Tomcat init scripts are run.


This could lead to a local privilege escalation or root compromise by authenticated users.

3.  Resolution Information


Users may change the ownership of /etc/init.d/tomcat* and /etc/conf.d/tomcat* to be root:root:

Code Listing 3.1: Workaround

# chown -R root:root /etc/init.d/tomcat*
# chown -R root:root /etc/conf.d/tomcat*


All Tomcat users can upgrade to the latest stable version, or simply apply the workaround:

Code Listing 3.2: Resolution

# emerge sync
# emerge -pv ">=www-servers/tomcat-5.0.27-r3"
# emerge ">=www-servers/tomcat-5.0.27-r3"

4.  References


Page updated August 15, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.