Accepting request 823635 from home:mateialbu:branches:Java:packages

- Don't give write permissions for the tomcat group on files and directories where it's not needed (bsc#1172562) - Change tomcat.pid location from /var/run to /run (bsc#1173103) - Use the /sbin/nologin shell when creating the tomcat user - Use %tmpfiles_create macro in %post instead of calling systemd-tmpfiles directly OBS-URL: https://build.opensuse.org/request/show/823635 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=205
2020-07-30 21:16:33 +00:00 · 2020-07-30 21:16:33 +00:00 · 32d59bc711
commit 32d59bc711
parent 58c8d0d803
3 changed files with 51 additions and 38 deletions
--- a/tomcat-9.0.init
+++ b/tomcat-9.0.init
@ -77,7 +77,7 @@ TOMCAT_USER="${TOMCAT_USER:-tomcat}"
 # Define the tomcat log file
 TOMCAT_LOG="${TOMCAT_LOG:-${CATALINA_HOME}/logs/${NAME}-initd.log}"
 # Define the tomcat pid file
-export CATALINA_PID="/var/run/${NAME}.pid"
+export CATALINA_PID="/run/${NAME}.pid"
 
 RETVAL="0"
 
@ -193,8 +193,8 @@ function parseOptions() {
 function start() {
    echo -n "Starting Tomcat ($CATALINA_BASE)"
    if [ -f "/var/run/rc${NAME}" ] ; then
-        if [ -f "/var/run/${NAME}.pid" ]; then
-            read kpid < /var/run/${NAME}.pid
+        if [ -f "/run/${NAME}.pid" ]; then
+            read kpid < /run/${NAME}.pid
                if checkpid $kpid 2>&1; then
                    echo "$NAME process already running"
                        rc_failed 0
@ -205,7 +205,7 @@ function start() {
        fi
    fi
    # fix permissions on the log and pid files
-    export CATALINA_PID="/var/run/${NAME}.pid"
+    export CATALINA_PID="/run/${NAME}.pid"
    touch $CATALINA_PID
    chown --no-dereference ${TOMCAT_USER}:${TOMCAT_USER} $CATALINA_PID
    touch $TOMCAT_LOG
@ -249,8 +249,8 @@ function start() {
 # NOTE: checkproc returns LSB compliant status values.
 function status() {
    echo -n "Checking for Tomcat ($CATALINA_BASE)"
-    if [ -f "/var/run/${NAME}.pid" ]; then
-        read kpid < /var/run/${NAME}.pid
+    if [ -f "/run/${NAME}.pid" ]; then
+        read kpid < /run/${NAME}.pid
        if checkpid $kpid 2>&1; then
            rc_failed 0
        else
@ -278,8 +278,8 @@ function stop() {
        RETVAL="$?"
        if [ "$RETVAL" -eq "0" ]; then
            count="0"
-            if [ -f "/var/run/${NAME}.pid" ]; then
-                read kpid < /var/run/${NAME}.pid
+            if [ -f "/run/${NAME}.pid" ]; then
+                read kpid < /run/${NAME}.pid
                until [ "$(ps --pid $kpid | grep -c $kpid)" -eq "0" ] || \
                      [ "$count" -gt "$SHUTDOWN_WAIT" ]; do
                    if [ "$SHUTDOWN_VERBOSE" = "true" ]; then
@ -301,7 +301,7 @@ function stop() {
                    echo -n -e "\n"
                fi
            fi
-            rm -f /var/run/rc${NAME} /var/run/${NAME}.pid
+            rm -f /var/run/rc${NAME} /run/${NAME}.pid
            if [ "${CLEAR_WORK}" = "true" ]; then
                echo -n "Cleaning work directory: "
                find ${CATALINA_HOME}/work/{Catalina,temp} -mindepth 2 -type d -print0 | xargs -0 rm -rf
@ -350,7 +350,7 @@ case "$1" in
    echo -n "Reload service Tomcat ($CATALINA_BASE)"
    ## if it supports it:
    #killproc -HUP $TOMCAT_BIN
-    #touch /var/run/FOO.pid
+    #touch /run/FOO.pid
    #rc_status -v
 
    ## Otherwise:
@ -364,7 +364,7 @@ case "$1" in
    # If it supports signalling:
    #echo -n "Reload service FOO"
    #killproc -HUP $TOMCAT_BIN
-    #touch /var/run/FOO.pid
+    #touch /run/FOO.pid
    #rc_status -v
     
    ## Otherwise if it does not support reload:
--- a/tomcat.changes
+++ b/tomcat.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Jul 29 20:48:14 UTC 2020 - Matei Albu <malbu@suse.com>
+
+- Don't give write permissions for the tomcat group on files and
+  directories where it's not needed (bsc#1172562)
+- Change tomcat.pid location from /var/run to /run (bsc#1173103)
+- Use the /sbin/nologin shell when creating the tomcat user
+- Use %tmpfiles_create macro in %post instead of calling
+  systemd-tmpfiles directly
+
 -------------------------------------------------------------------
 Fri Jun 26 08:03:01 UTC 2020 - Fridrich Strba <fstrba@suse.com>

--- a/tomcat.spec
+++ b/tomcat.spec
@ -335,7 +335,6 @@ install -d -m 0755 %{buildroot}%{_bindir}
 install -d -m 0755 %{buildroot}%{_sbindir}
 install -d -m 0755 %{buildroot}%{_javadocdir}/%{name}
 install -d -m 0755 %{buildroot}%{_initddir}
-install -d -m 0755 %{buildroot}%{_systemddir}
 install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d
 install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig
 install -d -m 0755 %{buildroot}%{appdir}
@ -343,7 +342,7 @@ install -d -m 0755 %{buildroot}%{tomcatappdir}
 install -d -m 0755 %{buildroot}%{bindir}
 install -d -m 0775 %{buildroot}%{confdir}
 install -d -m 0755 %{buildroot}%{cachedir}/Catalina/localhost
-install -d -m 0775 %{buildroot}%{confdir}/conf.d
+install -d -m 0755 %{buildroot}%{confdir}/conf.d
 /bin/echo "Place your custom *.conf files here. Shell expansion is supported." > %{buildroot}%{confdir}/conf.d/README
 install -d -m 0755 %{buildroot}%{libdir}
 install -d -m 0775 %{buildroot}%{logdir}
@ -575,7 +574,7 @@ ln -s -f %{_sysconfdir}/alternatives/servlet %{buildroot}%{_javadir}/%{name}-ser

 mkdir -p %{buildroot}%{_tmpfilesdir}
 cat > %{buildroot}%{_tmpfilesdir}/%{name}.conf <<EOF
-f %{_localstatedir}/run/%{name}.pid 0644 tomcat tomcat -
+f /run/%{name}.pid 0644 tomcat tomcat -
 EOF

 # Install tool used to edit server.xml
@ -589,13 +588,14 @@ popd
 # add the tomcat user and group
 %{_sbindir}/groupadd -r tomcat 2>/dev/null || :
 %{_sbindir}/useradd -c "Apache Tomcat" -g tomcat \
-    -s /bin/sh -r -d %{homedir} tomcat 2>/dev/null || :
+    -s /sbin/nologin -r -d %{homedir} tomcat 2>/dev/null || :
 %service_add_pre %{name}.service

 %post
 %service_add_post %{name}.service
+%service_add_post %{name}@.service
 %{fillup_only %{name}}
-%{_bindir}/systemd-tmpfiles --create  >/dev/null 2>&1 || :
+%tmpfiles_create %_tmpfilesdir/%{name}.conf

 %preun
 %service_del_preun %{name}.service
@ -684,7 +684,7 @@ if [ $1 -eq 0 ]; then # uninstall only
 fi

 %files
-%defattr(0664,root,tomcat,0755)
+%defattr(-,root,root)
 %doc {LICENSE,NOTICE,RELEASE*}
 %attr(0755,root,root) %{_bindir}/%{name}-digest
 %attr(0755,root,root) %{_bindir}/%{name}-tool-wrapper
@ -704,41 +704,43 @@ fi
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
 %attr(0755,root,tomcat) %dir %{basedir}
 %attr(0755,root,tomcat) %dir %{confdir}
-%defattr(0664,tomcat,root,0770)
 %attr(0775,root,tomcat) %dir %{appdir}
-%attr(0770,tomcat,root) %{logdir}
+%attr(0770,tomcat,root) %dir %{logdir}
 %attr(0660,tomcat,tomcat) %{logdir}/catalina.out
-%attr(0770,root,tomcat) %{cachedir}
-%defattr(0664,root,tomcat,0770)
+%attr(0770,root,tomcat) %dir %{cachedir}
+%attr(0775,root,tomcat) %dir %{cachedir}/Catalina
+
+# tomcat group writtable dirs - bnc#625415
 %attr(0770,root,tomcat) %dir %{tempdir}
 %attr(0770,root,tomcat) %dir %{workdir}
 %attr(0775,root,tomcat) %dir %{tomcatappdir}
-# tomcat group writtable dirs - bnc#625415
-%defattr(0664,root,tomcat,0775)
+
 %{confdir}/Catalina
-%attr(0775,root,tomcat) %dir %{confdir}/conf.d
-%attr(0664,tomcat,tomcat) %{confdir}/conf.d/README
-%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/%{name}.conf
-%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/*.policy
-%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/*.properties
-%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/context.xml
-%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/server.xml
-%attr(0660,tomcat,tomcat) %config(noreplace) %{confdir}/tomcat-users.xml
-%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/web.xml
-%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/jaspic-providers.xml
-%dir %{homedir}
-%{_tmpfilesdir}/%{name}.conf
-%{bindir}/bootstrap.jar
-%{bindir}/catalina-tasks.xml
+%attr(0755,root,tomcat) %dir %{confdir}/conf.d
+%attr(0644,root,tomcat) %{confdir}/conf.d/README
+%attr(0644,root,tomcat) %config(noreplace) %{confdir}/%{name}.conf
+%attr(0644,root,tomcat) %config(noreplace) %{confdir}/*.policy
+%attr(0644,root,tomcat) %config(noreplace) %{confdir}/*.properties
+%attr(0644,root,tomcat) %config(noreplace) %{confdir}/context.xml
+%attr(0644,root,tomcat) %config(noreplace) %{confdir}/server.xml
+# keep tomcat-users.xml readable only by root and tomcat group
+%attr(0640,root,tomcat) %config(noreplace) %{confdir}/tomcat-users.xml
+%attr(0644,root,tomcat) %config(noreplace) %{confdir}/web.xml
+%attr(0644,root,tomcat) %config(noreplace) %{confdir}/jaspic-providers.xml
+%attr(0755,root,tomcat) %dir %{homedir}
+%attr(0644,root,tomcat) %{_tmpfilesdir}/%{name}.conf
+%attr(0644,root,tomcat) %{bindir}/bootstrap.jar
+%attr(0644,root,tomcat) %{bindir}/catalina-tasks.xml
 %{homedir}/lib
 %{homedir}/temp
 %{homedir}/webapps
 %{homedir}/work
 %{homedir}/logs
 %{homedir}/conf
-%{_fillupdir}/sysconfig.%{name}
+%attr(0644,root,tomcat) %{_fillupdir}/sysconfig.%{name}

 %files admin-webapps
+%defattr(0644,root,tomcat,0755)
 %{tomcatappdir}/host-manager
 %config(noreplace) %{tomcatappdir}/host-manager/META-INF/context.xml
 %{tomcatappdir}/manager
@ -786,6 +788,7 @@ fi
 %ghost %{_sysconfdir}/alternatives/servlet

 %files webapps
+%defattr(0644,tomcat,tomcat,0755)
 #bnc#520532
 %config(noreplace) %{tomcatappdir}/ROOT
 %{tomcatappdir}/examples