libtomcat9-java and tomcat9-common 9.0.31-1ubuntu0.2 causes read-only file system for Tomcat
Bug #1967564 reported by
wiseley
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tomcat9 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
After Ubuntu unattended upgrade installed these two package updates Tomcat cannot write to disk at all. The service can't write its logs and the application running can't create /tmp files after this update.
To post a comment you must log in.
Clarification on this after further research. It appears that after this update, the tomcat9 service is no longer honoring the sandbox settings in the systemd script. The service can write to the default folders like /var/log/tomcat9, but not to the custom folders I've specified in the systemd script as follows:
# Security ties=CAP_ NET_BIND_ SERVICE =true tomcat9 ode=750 strict /etc/tomcat9/ Catalina/ /var/lib/ tomcat9/ webapps/ /var/log/ tomcat9/ /custom/ path/here/
User=tomcat
Group=tomcat
PrivateTmp=yes
AmbientCapabili
NoNewPrivileges
CacheDirectory=
CacheDirectoryM
ProtectSystem=
ReadWritePaths=
ReadWritePaths=
ReadWritePaths=
ReadWritePaths=
Tomcat is not given access to the /custom/path/here path. Also, changing ProtectSystem= strict to ProtectSystem=false has no effect. This setup was working before the update and hasn't changed for a fairly long time.