Tomcat: Insecure installation
Gentoo Linux Security Advisory
||GLSA 200408-15 / tomcat
||August 15, 2004
||May 22, 2006: 04
All supported architectures
Improper file ownership may allow a member of the tomcat group to execute
scripts as root.
Tomcat is the Apache Jakarta Project's official implementation of Java
Servlets and Java Server Pages.
The Gentoo ebuild for Tomcat sets the ownership of the Tomcat init
scripts as tomcat:tomcat, but those scripts are executed with root
privileges when the system is started. This may allow a member of the
tomcat group to run arbitrary code with root privileges when the Tomcat
init scripts are run.
This could lead to a local privilege escalation or root compromise by
Users may change the ownership of /etc/init.d/tomcat* and
/etc/conf.d/tomcat* to be root:root:
Code Listing 3.1: Workaround
# chown -R root:root /etc/init.d/tomcat*
# chown -R root:root /etc/conf.d/tomcat*
All Tomcat users can upgrade to the latest stable version, or simply
apply the workaround:
Code Listing 3.2: Resolution
# emerge sync
# emerge -pv ">=www-servers/tomcat-5.0.27-r3"
# emerge ">=www-servers/tomcat-5.0.27-r3"