tomcat fails to start using a security manager

Bug #591802 reported by Jeff Turner
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tomcat6 (Debian)
Fix Released
Unknown
tomcat6 (Ubuntu)
Fix Released
High
Thierry Carrez
Lucid
Fix Released
High
Thierry Carrez

Bug Description

Binary package hint: tomcat6

Using tomcat6 package version 6.0.24-2ubuntu, after editing /etc/default/tomcat6 to set TOMCAT6_SECURITY=yes, Tomcat breaks on startup with (in catalina.out):

Using CATALINA_BASE: /var/lib/tomcat6
Using CATALINA_HOME: /usr/share/tomcat6
Using CATALINA_TMPDIR: /tmp/tomcat6-tmp
Using JRE_HOME: /usr/lib/jvm/java-6-openjdk
Using CLASSPATH: /usr/share/tomcat6/bin/bootstrap.jar
Using Security Manager
Exception in thread "main" java.lang.ExceptionInInitializerError
        at org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:171)
        at org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:243)
        at org.apache.juli.logging.LogFactory.getLog(LogFactory.java:298)
        at org.apache.catalina.startup.Bootstrap.<clinit>(Bootstrap.java:55)
Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission java.util.logging.config.class read)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:342)
        at java.security.AccessController.checkPermission(AccessController.java:553)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1302)
        at java.lang.System.getProperty(System.java:669)
        at org.apache.juli.logging.DirectJDKLog.<clinit>(DirectJDKLog.java:43)
        ... 4 more
Could not find the main class: org.apache.catalina.startup.Bootstrap. Program will exit.

The problem is that -Djava.security.policy is being set twice, firstly in /etc/init.d/tomcat6 to $CATALINA_BASE/work/catalina.policy (correct), secondly in /usr/share/tomcat6/bin/catalina.sh to $CATALINA_BASE/conf/catalina.policy (an invalid path). Unfortunately the second takes precedence, and so no policy file is actually used.

To fix this, I suggest patching catalina.sh to change 'conf/catalina.policy' references to 'work/catalina.policy'. It would also be good to remove the explicit setting of -Djava.security.manager and -Djava.security.policy from the init.d script, since it is done anyway in the init script. I've attached two patches for this.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: tomcat6 6.0.24-2ubuntu1
ProcVersionSignature: Ubuntu 2.6.32-22.33-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic i686
NonfreeKernelModules: nvidia
Architecture: i386
Date: Thu Jun 10 01:14:40 2010
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release i386 (20100427.1)
PackageArchitecture: all
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.utf8
 SHELL=/bin/bash
SourcePackage: tomcat6

== SRU Report ==
Impact:
Regression for users of TOMCAT6_SECURITY=yes, that won't work after upgrading to Lucid.

Development branch fix:
6.0.26-4 has this fix, and a sync request to 6.0.26-5 was filed (bug 599265)

Minimal patch:
See attached at comment 9.

TEST CASE:
$ sudo apt-get install tomcat6
$ sudo sed -i "s/#TOMCAT6_SECURITY=no/TOMCAT6_SECURITY=yes/" /etc/default/tomcat6
$ sudo service tomcat6 restart
Affected = FAIL
Fixed = PASS

Regression potential:
The patch only affects the options used when TOMCAT6_SECURITY=yes, and the current duplicated options prevent it from working completely.

Revision history for this message
Jeff Turner (jeffturner) wrote :
Revision history for this message
Jeff Turner (jeffturner) wrote :
tags: added: patch
Revision history for this message
Adam Guthrie (therigu) wrote :

I've confirmed using 6.0.24-2ubuntu1 on 10.04

Changed in tomcat6 (Ubuntu):
status: New → Confirmed
Revision history for this message
Adam Guthrie (therigu) wrote :

I've tested the patch and they seem to work.

Revision history for this message
Adam Guthrie (therigu) wrote :
Adam Guthrie (therigu)
tags: added: patch-forwarded-debian
Changed in tomcat6 (Debian):
status: Unknown → New
Revision history for this message
Thierry Carrez (ttx) wrote :

Adam: thanks for your work in producing a debdiff out of Jeff's patch ! This needs to be fixed in maverick (development release) and also in lucid (as a Stable Release Update). You debdiff is a mix of the two, since it's targeted to "lucid". It should either be 6.0.24-2ubuntu1.2 targeted to lucid-proposed, or 6.0.26-2ubuntu1 targeted to maverick. The autogenerated quilt patch could also use some comments to replace autogenerated boilerplate.

Ideally, Debian will accept the patch and release a fixed version, we'll sync maverick to that and backport the fix to Lucid, so there is no need to prepare a maverick-specific fix.

Changed in tomcat6 (Ubuntu):
importance: Undecided → High
status: Confirmed → Triaged
Changed in tomcat6 (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Thierry Carrez (ttx) wrote :

Fix committed to debian-java SVN, will push a Lucid SRU for it.

Changed in tomcat6 (Ubuntu):
assignee: nobody → Thierry Carrez (ttx)
Changed in tomcat6 (Ubuntu Lucid):
assignee: nobody → Thierry Carrez (ttx)
Revision history for this message
Jason Brittain (jason-brittain) wrote :

The changes look right to me as well, if the policy file we're trying to use is in the work/ directory. The init.d script should not set -Djava.security.manager nor -Djava.security.policy because those are indeed set by catalina.sh whenever catalina.sh is invoked with -security. Thanks guys!

Thierry Carrez (ttx)
Changed in tomcat6 (Ubuntu):
status: Triaged → Fix Committed
Changed in tomcat6 (Debian):
status: New → Fix Released
Thierry Carrez (ttx)
Changed in tomcat6 (Ubuntu Lucid):
status: Triaged → In Progress
Revision history for this message
Thierry Carrez (ttx) wrote :
description: updated
Revision history for this message
Thierry Carrez (ttx) wrote :

Uploaded to lucid-proposed, waiting for acceptation.

Changed in tomcat6 (Ubuntu Lucid):
status: In Progress → Confirmed
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted tomcat6 into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in tomcat6 (Ubuntu Lucid):
status: Confirmed → Fix Committed
tags: added: verification-needed
Revision history for this message
Adam Guthrie (therigu) wrote :

Changes accepted in debian in 6.0.24-4

tags: added: patch-accepted-debian
removed: patch-forwarded-debian
Revision history for this message
Adam Guthrie (therigu) wrote :

-proposed package passes test case on my 10.04 i686 desktop.

Martin Pitt (pitti)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.26-5

---------------
tomcat6 (6.0.26-5) unstable; urgency=medium

  * Convert patches to dep3 format.
  * Backport security fix from trunk to fix CVE-2010-1157. (Closes: #587447)
  * Set urgency to medium due to the security fix.

tomcat6 (6.0.26-4) unstable; urgency=low

  [ Thierry Carrez ]
  * Fix issues preventing from running Tomcat6 with a security manager:
    - debian/tomcat6.init: Remove duplicate securitymanager options.
    - debian/patches/catalina-sh-security-manager.patch: Use the right
      location for the security.policy file in catalina.sh.
    - Closes: #585379, LP: #591802. Thanks to Jeff Turner for the original
      patches and to Adam Guthrie for the Lucid debdiff.
  * Allow binding to any interface when using authbind, rather than only allow
    binding to all (LP: #594989)
  * Force backgrounding of catalina.sh in start-stop-daemon, to allow the init
    script to be started through ssh -t (LP: #588481)

  [ Torsten Werner ]
  * Remove Paul from Uploaders list.
 -- Thierry Carrez <email address hidden> Tue, 13 Jul 2010 17:56:11 +0100

Changed in tomcat6 (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.24-2ubuntu1.2

---------------
tomcat6 (6.0.24-2ubuntu1.2) lucid-proposed; urgency=low

  * Fix issues preventing from running Tomcat6 with a security manager:
    - debian/tomcat6.init: Remove duplicate securitymanager options.
    - debian/patches/catalina-sh-security-manager.patch: Use the right
      location for the security.policy file in catalina.sh.
    - Closes LP: #591802. Thanks to Jeff Turner for the original
      patches and to Adam Guthrie for the Lucid debdiff.
 -- Thierry Carrez <email address hidden> Mon, 05 Jul 2010 14:54:47 +0200

Changed in tomcat6 (Ubuntu Lucid):
status: Fix Committed → Fix Released
tags: added: testcase
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.