From 32d59bc711f87932e93883063b6ebccf91c0f198e7ca037138d64fc6b96d0366 Mon Sep 17 00:00:00 2001
From: Matei Albu <malbu@suse.com>
Date: Thu, 30 Jul 2020 21:16:33 +0000
Subject: [PATCH] Accepting request 823635 from
 home:mateialbu:branches:Java:packages

- Don't give write permissions for the tomcat group on files and
  directories where it's not needed (bsc#1172562)
- Change tomcat.pid location from /var/run to /run (bsc#1173103)
- Use the /sbin/nologin shell when creating the tomcat user
- Use %tmpfiles_create macro in %post instead of calling
  systemd-tmpfiles directly

OBS-URL: https://build.opensuse.org/request/show/823635
OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=205
---
 tomcat-9.0.init | 22 +++++++++----------
 tomcat.changes  | 10 +++++++++
 tomcat.spec     | 57 ++++++++++++++++++++++++++-----------------------
 3 files changed, 51 insertions(+), 38 deletions(-)

diff --git a/tomcat-9.0.init b/tomcat-9.0.init
index b3d0d1d..5a8ccee 100644
--- a/tomcat-9.0.init
+++ b/tomcat-9.0.init
@@ -77,7 +77,7 @@ TOMCAT_USER="${TOMCAT_USER:-tomcat}"
 # Define the tomcat log file
 TOMCAT_LOG="${TOMCAT_LOG:-${CATALINA_HOME}/logs/${NAME}-initd.log}"
 # Define the tomcat pid file
-export CATALINA_PID="/var/run/${NAME}.pid"
+export CATALINA_PID="/run/${NAME}.pid"
  
 RETVAL="0"
  
@@ -193,8 +193,8 @@ function parseOptions() {
 function start() {
     echo -n "Starting Tomcat ($CATALINA_BASE)"
     if [ -f "/var/run/rc${NAME}" ] ; then
-        if [ -f "/var/run/${NAME}.pid" ]; then
-            read kpid < /var/run/${NAME}.pid
+        if [ -f "/run/${NAME}.pid" ]; then
+            read kpid < /run/${NAME}.pid
                 if checkpid $kpid 2>&1; then
                     echo "$NAME process already running"
                         rc_failed 0
@@ -205,7 +205,7 @@ function start() {
         fi
     fi
     # fix permissions on the log and pid files
-    export CATALINA_PID="/var/run/${NAME}.pid"
+    export CATALINA_PID="/run/${NAME}.pid"
     touch $CATALINA_PID
     chown --no-dereference ${TOMCAT_USER}:${TOMCAT_USER} $CATALINA_PID
     touch $TOMCAT_LOG
@@ -249,8 +249,8 @@ function start() {
 # NOTE: checkproc returns LSB compliant status values.
 function status() {
     echo -n "Checking for Tomcat ($CATALINA_BASE)"
-    if [ -f "/var/run/${NAME}.pid" ]; then
-        read kpid < /var/run/${NAME}.pid
+    if [ -f "/run/${NAME}.pid" ]; then
+        read kpid < /run/${NAME}.pid
         if checkpid $kpid 2>&1; then
             rc_failed 0
         else
@@ -278,8 +278,8 @@ function stop() {
         RETVAL="$?"
         if [ "$RETVAL" -eq "0" ]; then
             count="0"
-            if [ -f "/var/run/${NAME}.pid" ]; then
-                read kpid < /var/run/${NAME}.pid
+            if [ -f "/run/${NAME}.pid" ]; then
+                read kpid < /run/${NAME}.pid
                 until [ "$(ps --pid $kpid | grep -c $kpid)" -eq "0" ] || \
                       [ "$count" -gt "$SHUTDOWN_WAIT" ]; do
                     if [ "$SHUTDOWN_VERBOSE" = "true" ]; then
@@ -301,7 +301,7 @@ function stop() {
                     echo -n -e "\n"
                 fi
             fi
-            rm -f /var/run/rc${NAME} /var/run/${NAME}.pid
+            rm -f /var/run/rc${NAME} /run/${NAME}.pid
             if [ "${CLEAR_WORK}" = "true" ]; then
                 echo -n "Cleaning work directory: "
                 find ${CATALINA_HOME}/work/{Catalina,temp} -mindepth 2 -type d -print0 | xargs -0 rm -rf
@@ -350,7 +350,7 @@ case "$1" in
     echo -n "Reload service Tomcat ($CATALINA_BASE)"
     ## if it supports it:
     #killproc -HUP $TOMCAT_BIN
-    #touch /var/run/FOO.pid
+    #touch /run/FOO.pid
     #rc_status -v
  
     ## Otherwise:
@@ -364,7 +364,7 @@ case "$1" in
     # If it supports signalling:
     #echo -n "Reload service FOO"
     #killproc -HUP $TOMCAT_BIN
-    #touch /var/run/FOO.pid
+    #touch /run/FOO.pid
     #rc_status -v
      
     ## Otherwise if it does not support reload:
diff --git a/tomcat.changes b/tomcat.changes
index cab69bb..e088cca 100644
--- a/tomcat.changes
+++ b/tomcat.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Jul 29 20:48:14 UTC 2020 - Matei Albu <malbu@suse.com>
+
+- Don't give write permissions for the tomcat group on files and
+  directories where it's not needed (bsc#1172562)
+- Change tomcat.pid location from /var/run to /run (bsc#1173103)
+- Use the /sbin/nologin shell when creating the tomcat user
+- Use %tmpfiles_create macro in %post instead of calling
+  systemd-tmpfiles directly
+
 -------------------------------------------------------------------
 Fri Jun 26 08:03:01 UTC 2020 - Fridrich Strba <fstrba@suse.com>
 
diff --git a/tomcat.spec b/tomcat.spec
index bf28983..7aff8ef 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -335,7 +335,6 @@ install -d -m 0755 %{buildroot}%{_bindir}
 install -d -m 0755 %{buildroot}%{_sbindir}
 install -d -m 0755 %{buildroot}%{_javadocdir}/%{name}
 install -d -m 0755 %{buildroot}%{_initddir}
-install -d -m 0755 %{buildroot}%{_systemddir}
 install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d
 install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig
 install -d -m 0755 %{buildroot}%{appdir}
@@ -343,7 +342,7 @@ install -d -m 0755 %{buildroot}%{tomcatappdir}
 install -d -m 0755 %{buildroot}%{bindir}
 install -d -m 0775 %{buildroot}%{confdir}
 install -d -m 0755 %{buildroot}%{cachedir}/Catalina/localhost
-install -d -m 0775 %{buildroot}%{confdir}/conf.d
+install -d -m 0755 %{buildroot}%{confdir}/conf.d
 /bin/echo "Place your custom *.conf files here. Shell expansion is supported." > %{buildroot}%{confdir}/conf.d/README
 install -d -m 0755 %{buildroot}%{libdir}
 install -d -m 0775 %{buildroot}%{logdir}
@@ -575,7 +574,7 @@ ln -s -f %{_sysconfdir}/alternatives/servlet %{buildroot}%{_javadir}/%{name}-ser
 
 mkdir -p %{buildroot}%{_tmpfilesdir}
 cat > %{buildroot}%{_tmpfilesdir}/%{name}.conf <<EOF
-f %{_localstatedir}/run/%{name}.pid 0644 tomcat tomcat -
+f /run/%{name}.pid 0644 tomcat tomcat -
 EOF
 
 # Install tool used to edit server.xml
@@ -589,13 +588,14 @@ popd
 # add the tomcat user and group
 %{_sbindir}/groupadd -r tomcat 2>/dev/null || :
 %{_sbindir}/useradd -c "Apache Tomcat" -g tomcat \
-    -s /bin/sh -r -d %{homedir} tomcat 2>/dev/null || :
+    -s /sbin/nologin -r -d %{homedir} tomcat 2>/dev/null || :
 %service_add_pre %{name}.service
 
 %post
 %service_add_post %{name}.service
+%service_add_post %{name}@.service
 %{fillup_only %{name}}
-%{_bindir}/systemd-tmpfiles --create  >/dev/null 2>&1 || :
+%tmpfiles_create %_tmpfilesdir/%{name}.conf
 
 %preun
 %service_del_preun %{name}.service
@@ -684,7 +684,7 @@ if [ $1 -eq 0 ]; then # uninstall only
 fi
 
 %files
-%defattr(0664,root,tomcat,0755)
+%defattr(-,root,root)
 %doc {LICENSE,NOTICE,RELEASE*}
 %attr(0755,root,root) %{_bindir}/%{name}-digest
 %attr(0755,root,root) %{_bindir}/%{name}-tool-wrapper
@@ -704,41 +704,43 @@ fi
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
 %attr(0755,root,tomcat) %dir %{basedir}
 %attr(0755,root,tomcat) %dir %{confdir}
-%defattr(0664,tomcat,root,0770)
 %attr(0775,root,tomcat) %dir %{appdir}
-%attr(0770,tomcat,root) %{logdir}
+%attr(0770,tomcat,root) %dir %{logdir}
 %attr(0660,tomcat,tomcat) %{logdir}/catalina.out
-%attr(0770,root,tomcat) %{cachedir}
-%defattr(0664,root,tomcat,0770)
+%attr(0770,root,tomcat) %dir %{cachedir}
+%attr(0775,root,tomcat) %dir %{cachedir}/Catalina
+
+# tomcat group writtable dirs - bnc#625415
 %attr(0770,root,tomcat) %dir %{tempdir}
 %attr(0770,root,tomcat) %dir %{workdir}
 %attr(0775,root,tomcat) %dir %{tomcatappdir}
-# tomcat group writtable dirs - bnc#625415
-%defattr(0664,root,tomcat,0775)
+
 %{confdir}/Catalina
-%attr(0775,root,tomcat) %dir %{confdir}/conf.d
-%attr(0664,tomcat,tomcat) %{confdir}/conf.d/README
-%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/%{name}.conf
-%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/*.policy
-%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/*.properties
-%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/context.xml
-%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/server.xml
-%attr(0660,tomcat,tomcat) %config(noreplace) %{confdir}/tomcat-users.xml
-%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/web.xml
-%attr(0664,tomcat,tomcat) %config(noreplace) %{confdir}/jaspic-providers.xml
-%dir %{homedir}
-%{_tmpfilesdir}/%{name}.conf
-%{bindir}/bootstrap.jar
-%{bindir}/catalina-tasks.xml
+%attr(0755,root,tomcat) %dir %{confdir}/conf.d
+%attr(0644,root,tomcat) %{confdir}/conf.d/README
+%attr(0644,root,tomcat) %config(noreplace) %{confdir}/%{name}.conf
+%attr(0644,root,tomcat) %config(noreplace) %{confdir}/*.policy
+%attr(0644,root,tomcat) %config(noreplace) %{confdir}/*.properties
+%attr(0644,root,tomcat) %config(noreplace) %{confdir}/context.xml
+%attr(0644,root,tomcat) %config(noreplace) %{confdir}/server.xml
+# keep tomcat-users.xml readable only by root and tomcat group
+%attr(0640,root,tomcat) %config(noreplace) %{confdir}/tomcat-users.xml
+%attr(0644,root,tomcat) %config(noreplace) %{confdir}/web.xml
+%attr(0644,root,tomcat) %config(noreplace) %{confdir}/jaspic-providers.xml
+%attr(0755,root,tomcat) %dir %{homedir}
+%attr(0644,root,tomcat) %{_tmpfilesdir}/%{name}.conf
+%attr(0644,root,tomcat) %{bindir}/bootstrap.jar
+%attr(0644,root,tomcat) %{bindir}/catalina-tasks.xml
 %{homedir}/lib
 %{homedir}/temp
 %{homedir}/webapps
 %{homedir}/work
 %{homedir}/logs
 %{homedir}/conf
-%{_fillupdir}/sysconfig.%{name}
+%attr(0644,root,tomcat) %{_fillupdir}/sysconfig.%{name}
 
 %files admin-webapps
+%defattr(0644,root,tomcat,0755)
 %{tomcatappdir}/host-manager
 %config(noreplace) %{tomcatappdir}/host-manager/META-INF/context.xml
 %{tomcatappdir}/manager
@@ -786,6 +788,7 @@ fi
 %ghost %{_sysconfdir}/alternatives/servlet
 
 %files webapps
+%defattr(0644,tomcat,tomcat,0755)
 #bnc#520532
 %config(noreplace) %{tomcatappdir}/ROOT
 %{tomcatappdir}/examples