I searched in the Packages tomcat7 and tomcat7-common from Trusty and Xenial and can't find anything that is creating or using the Directory /var/lib/tomcat7/policy ($CATALINA_BASE/policy).
My suggestion is that Marc like to move the generated Policy Files out of $CATALINA_BASE/work/ which is a symlink to /var/cache/tomcat7. /var/cache/tomcat7 is writable by the tomcat User.
But the patch is incomplete.catalina.sh still hands $CATALINA_BASE/work/catalina.policy to Java.
This bug blocks installing a Security-Update. In my opinion this is a Security Issue too and needs to be fixed asap.
Hi,
I searched in the Packages tomcat7 and tomcat7-common from Trusty and Xenial and can't find anything that is creating or using the Directory /var/lib/ tomcat7/ policy ($CATALINA_ BASE/policy) .
My suggestion is that Marc like to move the generated Policy Files out of $CATALINA_ BASE/work/ which is a symlink to /var/cache/tomcat7. /var/cache/tomcat7 is writable by the tomcat User.
But the patch is incomplete. catalina. sh still hands $CATALINA_ BASE/work/ catalina. policy to Java.
This bug blocks installing a Security-Update. In my opinion this is a Security Issue too and needs to be fixed asap.