Bug#994440: jetty9 systemd unit too strict for normal use

Markus Koschany apo at debian.org
Mon Oct 18 09:40:46 BST 2021 

Hello,

thanks for the report.

On Thu, 16 Sep 2021 08:17:29 +0200 Martin van Es <martin at mrvanes.com> wrote:
> Package: jetty9
> Version: 9.4.16-0+deb10u1
> Severity: important
> 
> On a default jetty9 install, the systemd unit file restricts readwrite 
> operations to /var/lib/jetty9/ using the systemd ProtectSystem and 
> ReadWritePaths options.
> 
> The complaint is that this is way too strict for normal operation and daily 
> use of jetty. E.g. when roughly following the installation instructions for a
> popular SAML IdP Shibboleth [1] the default installation directory is /opt/
> shibboleth-idp, called idp.home. The default logfiles and metadata directory 
> are %{idp.home}/logs and %{idp.home}/metadata, which prevents Shibboleth from
> correctly logging messages and saving metadata after start.
> 
> Especially not being able to log to ${idp.home}/log made debugging this 
> problem extremely hard and time consuming. The solution/work-around was to 
> create an override unit for jetty9 that disables ProtectSystem(=no) and 
> ReadWritePaths(=)
> 
> Please reconsider the ProtectSystem option in jetty9's systemd unit file.
> 
> Best regards,
> Martin

The security settings are intentional and compatible with other Debian system
packages. Web applications should be installed into /var/lib/jetty9/webapps. If
your use case requires read or write access to different paths then you can
create an override.conf file in /etc/systemd/system/jetty9.service.d/
containing:

      [Service]
      ReadWritePaths=/path/to/the/directory/


This is the recommended way to override systemd settings. We do not intend to
diverge from the default security settings because these prevent possible
exploits and yet undiscovered security vulnerabilities. I have clarified the
override mechanism in README.Debian and I am going to close this bug report
now.

Regards,

Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20211018/17e0a548/attachment.sig>

More information about the pkg-java-maintainers mailing list