Bug#1039974: tomcat10: tomcat user has wrong home "/var/lib/tomcat" directory in /etc/passwd

Jens Reyer jre.winesim at gmail.com
Sun Sep 29 15:09:13 BST 2024 

Control: tags -1 - moreinfo
Control: found -1 10.1.30-1


Hi all, hi Markus,

I'm not the bugreporter, but jumping in anyway.


On 01 Jul 2023, Markus Koschany wrote:
 > There is a difference between the operating system user and
 > home directory and the applications' home directory.
[...]
 > You have to tell your tomcat applications explicitly if they
 > can write or read certain file system directories. See
 > /usr/share/doc/tomcat10/README.Debian for more information.
 > By default Debian's tomcat package is meant to be secure. It
 > is the task of the system administrator to configure tomcat
 > correctly.

Indeed this should solve my problem (see below). Thanks!


But anyway:

 > See Debian bug https://bugs.debian.org/926338 for reference.

In this bugreport a reason (ssh keys for Jenkins) was found to move the 
tomcat user's home from / to /var/lib/tomcat.  Since this directory does 
not exist, while /var/lib/tomcat10 does, this looks like an packaging 
error on first glance.

I suggest to additionally create /var/lib/tomcat and maybe put a README 
in that directory with something like:

~~~~
This is the home directory of the tomcat system user.  You may use it 
for permanent configuration like e.g. ssh key.

Deploy your apps in the versioned directory /var/lib/tomcat10/.

If you place them somewhere else make sure they have read and write 
access. See /usr/share/doc/tomcat10/README.Debian for more information.
~~~~


This would help tomcat newbies like me.  Just as background info: I 
configured some other path for an application which then failed to 
start.  In the journal I found error messages like: "HSEARCH600015: 
Unable to initialize index directory: /my/configured/path/lucene_index: 
Das Dateisystem ist nur lesbar [The filesystem is read-only]".  After 
verifying that the tomcat user could write there I noticed the (for me 
misleading) /etc/passwd entry.  While I already assumed some sandboxing 
issue as root cause I still investigated the non-existing home directory 
and luckily found your comment here.

Thanks and big greets!
jre

More information about the pkg-java-maintainers mailing list