HI,
I looked into tomcat6.spec file, the catalina.out
stuff seems to be handled in rpm installation process.
------------------------
%install
:
/bin/touch ${RPM_BUILD_ROOT}%{logdir}/catalina.out
:
%files
:
%attr(0644,tomcat,tomcat) %{logdir}/catalina.out
:
------------------------
So I'd like to suggest to do as such in our cloudstack spec file, too.
(2013/06/03 19:10), Prasanna Santhanam wrote:
I couldn't find a reasonably good solution for this. The vulnerability
is fixed in Tomcat more than a year ago and it was applied only
recently, as Ove pointed, in the distros. While this doesn't affect
those upgrading, it is problematic for those installing CloudStack
afresh. Any version - 3.0.2, ($insert_commercial_version), 4.0,
4.0.1, 4.0.2, 4.1 and even the 4.2-SNAPSHOT RPMs.
I've applied a fix on master (54127f8) that I think is reasonable by
changing the permissions on the file so it is owned by user `cloud`
which is the user cloudstack-management will run as. To understand why
this is not an obvious hack please see [1]. If there's an even elegant
way, please let the list know.
I'm also not quite sure how and when the deb packages will be
affected. It looked like the debian users haven't reported this
problem yet. We started seeing issues of this right after May 25th,
should've paid more attention then (/me facepalm)
It's an awkward situation, so I'm not sure what will be the next
course of action since our src release is ready to be published.
The options are:
a) Publish workaround of giving `cloud` permissions to catalina.out
b) Release a new source package with fix cherry-picked to 4.1 and
whereever applicable.
b. shouldn't take longer - just testing the packaging should be
sufficient. CloudStack's overall functionality is satisfactory from
the tests done so far.
[1] http://markmail.org/thread/wuknrv3ml5lfdq7c
