debian/README.Debian

@@ -54,6 +54,13 @@ Getting started
       systemctl daemon-reload
       systemctl restart tomcat9
 
+    ⚠ This is supported only when Tomcat is started with the systemd unit.
+
+    Using Tomcat with other init systems is supported, however that will
+    negate the security hardening detailed above, make Tomcat not have
+    its own temporary directory, not drop privileges/capabilities after
+    start, and not be restarted on crashing. Use at your own risk.
+
   * To run more than one Tomcat instance on your server, install the package
     tomcat9-user and run the tomcat9-instance-create utility.
     You should remove the tomcat9 package if you don't want Tomcat to

debian/changelog

+tomcat9 (9.0.16-4) UNRELEASED; urgency=medium
+
+  * Team upload.
+  * debian/logging.properties: Add commented-out non-systemd configuration
+  * Make tomcat9 installable without systemd:
+    - Readd logic to create the system user via adduser
+    - Add sysvinit script, for init independence (Closes: #925473)
+  * debian/README.Debian: Document non-systemd risks
+  * debian/libexec/tomcat-locate-java.sh: Remove shebang and make
+    not executable as this is only ever sourced (makes no sense otherwise)
+  * Make the systemd startup script honour the (renamed) $SECURITY_MANAGER
+
+ -- Thorsten Glaser <tg@mirbsd.de>  Mon, 01 Apr 2019 15:42:02 +0200
+
 tomcat9 (9.0.16-3) unstable; urgency=medium
 
   * Removed read/write access to /var/lib/solr (Closes: #923299)

debian/control

@@ -47,7 +47,7 @@ Package: tomcat9
 Architecture: all
 Depends:
  lsb-base (>= 3.0-6),
- systemd (>= 215),
+ systemd (>= 215) | adduser,
  tomcat9-common (>= ${source:Version}),
  ucf,
  ${misc:Depends}

debian/copyright

@@ -49,6 +49,7 @@ Copyright: 2008,2011, Canonical Ltd.
            2013-2014, Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
            2013-2018, Emmanuel Bourg <ebourg@apache.org>
            2001-2017, Markus Koschany <apo@debian.org>
+           2015–2019, mirabilos <t.glaser@tarent.de>
 License: Apache-2.0
 
 License: Apache-2.0

debian/libexec/sysv-getjre.sh

+#!/bin/sh
+#
+# SYSVinit script helper to determine the JRE (for start-stop-daemon)
+#
+
+. /usr/libexec/tomcat9/tomcat-locate-java.sh
+set +e
+
+. /usr/share/tomcat9/bin/setclasspath.sh
+
+if test -n "$_RUNJAVA"; then
+	printf "OK<%s>" "$_RUNJAVA"
+else
+	echo UNSET
+fi

debian/libexec/sysv-start.sh

+#!/bin/sh
+#
+# SYSVinit script helper to wrap the systemd startup script
+#
+
+set -e
+
+# redirect stdio
+exec </dev/null
+exec >>/var/log/tomcat9/catalina.out
+exec 2>&1
+# write an initial log entry
+echo "[$(date +'%FT%T%z')] starting..."
+
+# make sure Tomcat is started with system locale
+
+# restore LC_ALL that was (un)set at initscript startup
+case $saved_LC_ALL in
+(x*)	LC_ALL=${saved_LC_ALL#x} ;;
+(*)	unset LC_ALL ;;
+esac
+# read global locale configuration
+test -r /etc/default/locale && . /etc/default/locale
+# export all POSIX locale-relevant environment variables if set
+for v in LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY \
+    LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE \
+    LC_MEASUREMENT LC_IDENTIFICATION LC_ALL; do
+	eval "x=\${$v-x}"
+	test x"$x" = x"x" || eval export "$v"
+done
+
+# hand control to the systemd startup script we wrap
+exec /usr/libexec/tomcat9/tomcat-start.sh "$@"

debian/libexec/tomcat-locate-java.sh

-#!/bin/sh
 #
 # Script looking for a Java runtime suitable for running Tomcat
 #

debian/libexec/tomcat-start.sh

@@ -15,7 +15,7 @@ export JAVA_OPTS
 
 # Enable the Java security manager?
 SECURITY=""
-[ "$TOMCAT_SECURITY" = "yes" ] && SECURITY="-security"
+[ "$SECURITY_MANAGER" = "true" ] && SECURITY="-security"
 
 
 # Start Tomcat

debian/logging.properties

@@ -33,7 +33,9 @@ handlers = 1catalina.org.apache.juli.AsyncFileHandler, 2localhost.org.apache.jul
 2localhost.org.apache.juli.AsyncFileHandler.maxDays = 90
 
 java.util.logging.ConsoleHandler.level = FINE
+# use one of these depending on whether you use systemd or not, or roll your own
 java.util.logging.ConsoleHandler.formatter = org.apache.juli.SystemdFormatter
+#java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter
 
 
 ############################################################

debian/tomcat9.init

+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          tomcat9
+# Required-Start:    $local_fs $remote_fs $network
+# Required-Stop:     $local_fs $remote_fs $network
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Tomcat 9
+# Description:       The Tomcat 9 servlet engine runs Java Web Archives.
+### END INIT INFO
+
+# stuff away, used later
+saved_LC_ALL=${LC_ALL+x$LC_ALL}
+export saved_LC_ALL
+
+# absolute basics
+LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin
+export LC_ALL PATH
+unset LANGUAGE
+
+# exit cleanly if disabled or not installed
+test -x /usr/libexec/tomcat9/sysv-start.sh || exit 0
+test -x /usr/libexec/tomcat9/sysv-getjre.sh || exit 0
+test -x /usr/libexec/tomcat9/tomcat-update-policy.sh || exit 0
+test -x /usr/libexec/tomcat9/tomcat-start.sh || exit 0
+
+# Debian/LSB init script foobar
+DESC='Tomcat 9 servlet engine'
+NAME=tomcat9
+readonly DESC NAME
+. /lib/init/vars.sh
+test -t 0 && VERBOSE=yes
+. /lib/lsb/init-functions
+
+# somewhat LSB-compliant exit with failure
+if test x"$1" = x"status"; then
+	exit_failure_msg() {
+		log_failure_msg "$@"
+		exit 4
+	}
+else
+	exit_failure_msg() {
+		log_failure_msg "$@"
+		exit 1
+	}
+fi
+
+# set defaults for options
+CATALINA_HOME=/usr/share/tomcat9
+CATALINA_BASE=/var/lib/tomcat9
+CATALINA_TMPDIR=/tmp/tomcat9-tmp
+export CATALINA_HOME CATALINA_BASE CATALINA_TMPDIR
+JAVA_HOME= # determined later if empty
+JAVA_OPTS=-Djava.awt.headless=true
+JSP_COMPILER= # only used if nonempty
+SECURITY_MANAGER=false
+export JAVA_HOME JAVA_OPTS JSP_COMPILER SECURITY_MANAGER
+UMASK=022
+export UMASK
+# read options
+test -r /etc/default/tomcat9 && . /etc/default/tomcat9
+
+# ensure the temporary directory exist and change to it
+rm -rf "$CATALINA_TMPDIR"
+mkdir "$CATALINA_TMPDIR" || \
+    exit_failure_msg 'could not create JVM temporary directory'
+chown -h tomcat "$CATALINA_TMPDIR"
+cd "$CATALINA_TMPDIR"
+
+# figure out the JRE executable catalina.sh will use
+# (we need it for start-stop-daemon --exec for reliability)
+_RUNJAVA=$(su tomcat -s /bin/sh -c /usr/libexec/tomcat9/sysv-getjre.sh) || \
+    _RUNJAVA="FAIL:$?"
+case $_RUNJAVA in
+('OK<'*'>')
+	_RUNJAVA=${_RUNJAVA#'OK<'}
+	_RUNJAVA=${_RUNJAVA%'>'}
+	;;
+(*)
+	exit_failure_msg "could not determine JRE: $_RUNJAVA"
+	;;
+esac
+
+# prepare for actions
+case $1 in
+(start|stop|restart|force-reload)
+	# handled below
+	;;
+(try-restart|status)
+	start-stop-daemon --status --quiet \
+	    --pidfile /var/run/tomcat9.pid \
+	    --exec "$_RUNJAVA" --user tomcat
+	rv=$?
+	# clean up stale pidfile if necessary
+	(test x"$rv" = x"1" && rm -f /var/run/tomcat9.pid || :)
+	# process status result
+	case $1 in
+	(try-restart)
+		test x"$rv" = x"0" || {
+			# service is not running, or status is unknown
+			log_success_msg "$NAME is not running"
+			exit 0
+		}
+		# service running, restart it
+		;;
+	(status)
+		case $rv in
+		(0)
+			log_success_msg "$NAME is running"
+			;;
+		(4)
+			log_failure_msg "could not access PID file for $NAME"
+			;;
+		(*)
+			log_failure_msg "$NAME is not running"
+			;;
+		esac
+		exit $rv
+		;;
+	esac
+	;;
+(reload|*)
+	# not supported
+	echo >&2 "Usage: $0 {start|stop|restart|try-restart|force-reload|status}"
+	exit 3
+	;;
+esac
+
+# handle stopping/starting
+rv=0
+
+case $1 in
+(stop|restart|try-restart|force-reload)
+	test x"$VERBOSE" = x"no" || log_daemon_msg "Stopping $DESC"
+	start-stop-daemon --stop --quiet \
+	    --retry=10 --oknodo --remove-pidfile \
+	    --pidfile /var/run/tomcat9.pid \
+	    --exec "$_RUNJAVA" --user tomcat
+	rv=$?
+	test x"$VERBOSE" = x"no" || log_end_msg $rv
+	;;
+esac
+
+test x"$rv" = x"0" || exit $rv
+
+case $1 in
+(start|restart|try-restart|force-reload)
+	/usr/libexec/tomcat9/tomcat-update-policy.sh || \
+	    exit_failure_msg 'could not regenerating catalina.policy file'
+	rm -f /var/run/tomcat9.pid
+	test x"$VERBOSE" = x"no" || log_daemon_msg "Starting $DESC"
+	start-stop-daemon --start --quiet \
+	    --chuid tomcat --umask "$UMASK" \
+	    --startas /usr/libexec/tomcat9/sysv-start.sh \
+	    --background --make-pidfile \
+	    --pidfile /var/run/tomcat9.pid \
+	    --exec "$_RUNJAVA" --user tomcat
+	rv=$?
+	test x"$VERBOSE" = x"no" || log_end_msg $rv
+	;;
+esac
+
+exit $rv

debian/tomcat9.install

@@ -8,5 +8,6 @@ debian/default.template    /usr/share/tomcat9/
 debian/logrotate.template  /usr/share/tomcat9/
 debian/sysusers/*.conf     /usr/lib/sysusers.d/
 
+debian/libexec/sysv-*                  /usr/libexec/tomcat9/
 debian/libexec/tomcat-start.sh         /usr/libexec/tomcat9/
 debian/libexec/tomcat-update-policy.sh /usr/libexec/tomcat9/

debian/tomcat9.lintian-overrides

+# handled in dependencies and maintainer script as alternative
+tomcat9: maintainer-script-needs-depends-on-adduser postinst

debian/tomcat9.postinst

@@ -5,6 +5,7 @@
 
 set -e
 
+# Note these are no longer configurable (as of commit 243d00dc688ea47f4c7cde570ccaaa70efe269bf)
 TOMCAT_USER="tomcat"
 TOMCAT_GROUP="tomcat"
 
@@ -12,8 +13,18 @@ CONFFILES="tomcat-users.xml web.xml server.xml logging.properties context.xml ca
 
 case "$1" in
     configure)
+	if which systemd-sysusers >/dev/null; then
 		# Create the tomcat user as defined in /usr/lib/sysusers.d/tomcat9.conf
 		systemd-sysusers
+	elif id tomcat >/dev/null 2>&1; then
+		: The tomcat user already exists
+	else
+		# Create the tomcat user without systemd
+		adduser --system --home /var/lib/tomcat9 \
+		    --shell /usr/sbin/nologin --no-create-home \
+		    --group --disabled-password --disabled-login \
+		    --gecos 'Apache Tomcat' tomcat
+	fi
 
 	# Install the configuration files
 	for conffile in $CONFFILES;