tomcat8 8.5.30-1ubuntu1 / postinst

#!/bin/sh
set -e

. /usr/share/debconf/confmodule
TEMPLATE="/usr/share/tomcat8/defaults.template"
CONFFILE="/etc/default/tomcat8"
LR_TEMPLATE="/usr/share/tomcat8/logrotate.template"
LR_CONFFILE="/etc/logrotate.d/tomcat8"
JAVA_OPTS="-Djava.awt.headless=true -XX:+UseConcMarkSweepGC"

case "$1" in
    configure)

	# Generate $CONFFILE from debconf seetings and $TEMPLATE
	db_version 2.0
	db_get tomcat8/username && TOMCAT8_USER="$RET" || TOMCAT8_USER="tomcat8"
	db_get tomcat8/groupname && TOMCAT8_GROUP="$RET" || TOMCAT8_GROUP="tomcat8"
	db_get tomcat8/javaopts && JAVA_OPTS="$RET" || JAVA_OPTS="-Djava.awt.headless=true -XX:+UseConcMarkSweepGC"

	tmpfile=`mktemp /tmp/tomcat8.XXXXXXXXXX`
	chmod 644 $tmpfile
	DELIM=$(printf '\001')
	cat $TEMPLATE \
		| sed "s%^TOMCAT8_USER=.*$%TOMCAT8_USER=$TOMCAT8_USER%" \
		| sed "s%^TOMCAT8_GROUP=.*$%TOMCAT8_GROUP=$TOMCAT8_GROUP%" \
		| sed "s${DELIM}^JAVA_OPTS=.*\$${DELIM}JAVA_OPTS=\"$JAVA_OPTS\"${DELIM}" \
		>> $tmpfile
	ucf --debconf-ok --sum-file /usr/share/tomcat8/defaults.md5sum $tmpfile $CONFFILE
	rm -f $tmpfile

	if ! getent group "$TOMCAT8_GROUP" > /dev/null 2>&1 ; then
	    addgroup --system "$TOMCAT8_GROUP" --quiet
	fi
	if ! id $TOMCAT8_USER > /dev/null 2>&1 ; then
	    adduser --system --home /var/lib/tomcat8 --no-create-home \
		--ingroup "$TOMCAT8_GROUP" --disabled-password --shell /bin/false \
		"$TOMCAT8_USER"
	fi
	chown -R $TOMCAT8_USER:adm /var/log/tomcat8 /var/cache/tomcat8
	chmod 750 /var/log/tomcat8 /var/cache/tomcat8

	# populate /etc/logrotate.d/tomcat8
	tmpfile=`mktemp /tmp/tomcat8.XXXXXXXXXX`
	chmod 644 $tmpfile
	cat $LR_TEMPLATE | sed "s%create 640 tomcat8 adm%create 640 $TOMCAT8_USER adm%" >> $tmpfile
	ucf --debconf-ok --sum-file /usr/share/tomcat8/logrotate.md5sum $tmpfile $LR_CONFFILE
	rm -f $tmpfile

	# configuration files should not be modifiable by tomcat8 user, as this can be a security issue
	# (an attacker may insert code in a webapp and have access to all tomcat configuration)
	# but those files should be readable by tomcat8, so we set the group to tomcat8
	for i in tomcat-users.xml web.xml server.xml logging.properties context.xml catalina.properties jaspic-providers.xml;
	do
		if [ -f "/etc/tomcat8/$i" ]; then
			chown root:$TOMCAT8_GROUP /etc/tomcat8/$i
			chmod 640 /etc/tomcat8/$i
		fi
	done
	# configuration policy files should not be modifiable by the tomcat8 user. Only
	# diverge from default permissions for known Debian files
	chown root:$TOMCAT8_GROUP /etc/tomcat8/policy.d
	for i in 01system.policy 02debian.policy 03catalina.policy 04webapps.policy 50local.policy;
	do
		if [ -f "/etc/tomcat8/policy.d/$i" ]; then
			chown root:$TOMCAT8_GROUP /etc/tomcat8/policy.d/$i
			chmod 640 /etc/tomcat8/policy.d/$i
		fi
	done
	chown -Rh root:$TOMCAT8_GROUP /etc/tomcat8/Catalina

	chown -Rh $TOMCAT8_USER:$TOMCAT8_GROUP /var/lib/tomcat8/webapps /var/lib/tomcat8/lib
	chmod 775 /var/lib/tomcat8/webapps
	chmod 775 /etc/tomcat8/Catalina

	# Authorize user tomcat8 to open privileged ports via authbind.
	TOMCAT_UID="`id -u $TOMCAT8_USER`"
	if [ ! -f "/etc/authbind/byuid/$TOMCAT_UID" ]; then
		if [ ! -d "/etc/authbind/byuid" ]; then
			mkdir -p /etc/authbind/byuid
			chmod 755 /etc/authbind
			chmod 755 /etc/authbind/byuid
		fi
		echo '0.0.0.0/0:1,1023' >/etc/authbind/byuid/$TOMCAT_UID
		echo '::/0,1-1023' >>/etc/authbind/byuid/$TOMCAT_UID
		chown $TOMCAT8_USER:$TOMCAT8_GROUP /etc/authbind/byuid/$TOMCAT_UID
		chmod 700 /etc/authbind/byuid/$TOMCAT_UID
	fi
    ;;
esac

if [ ! -d /var/lib/tomcat8/webapps/ROOT ]; then
    cp -r /usr/share/tomcat8-root/default_root /var/lib/tomcat8/webapps/ROOT
fi

# Automatically added by dh_installinit/11.1.6ubuntu1
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	if [ -x "/etc/init.d/tomcat8" ]; then
		update-rc.d tomcat8 defaults >/dev/null
		if [ -n "$2" ]; then
			_dh_action=restart
		else
			_dh_action=start
		fi
		invoke-rc.d tomcat8 $_dh_action || exit 1
	fi
fi
# End automatically added section