Comment 2 for bug 1659589

Hi,

I searched in the Packages tomcat7 and tomcat7-common from Trusty and Xenial and can't find anything that is creating or using the Directory /var/lib/tomcat7/policy ($CATALINA_BASE/policy).

My suggestion is that Marc like to move the generated Policy Files out of $CATALINA_BASE/work/ which is a symlink to /var/cache/tomcat7. /var/cache/tomcat7 is writable by the tomcat User.

But the patch is incomplete.catalina.sh still hands $CATALINA_BASE/work/catalina.policy to Java.

This bug blocks installing a Security-Update. In my opinion this is a Security Issue too and needs to be fixed asap.