[jira] [Created] (DAEMON-217) Tomcat 6 and 7 Won't Start Due to Permissions Issue

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (DAEMON-217) Tomcat 6 and 7 Won't Start Due to Permissions Issue

ASF GitHub Bot (Jira)
Tomcat 6 and 7 Won't Start Due to Permissions Issue
---------------------------------------------------

                 Key: DAEMON-217
                 URL: https://issues.apache.org/jira/browse/DAEMON-217
             Project: Commons Daemon
          Issue Type: Bug
          Components: Jsvc
    Affects Versions: 1.0.7
         Environment: Arch Linux x86-32
            Reporter: Aimelyne Mochiron
            Priority: Blocker


I upgraded java-jsvc to the next version available from Arch (1.0.7) as part of a routine box-wide upgrade. From that point, Tomcat started complaining that it didn't have the right permissions to read either manager.xml or host-manager.xml, under /etc/tomcat6/Catalina/localhost/. Perms look OK though: Catalina's mode is 0755 for tomcat:tomcat, so is localhost's; manager.xml and host-manager.xml, under localhost, are both 0644 for tomcat:tomcat. /etc/tomcat6/ is set to mode 0770 for root:root, which was the case previously as well. Nothing appears to have changed on that front as part of the upgrade.
Tomcat failed to deploy the web application directory host-manager (dixit catalina.err), and as a result I couldn't access the manager app anymore (got a 404 error page telling me the requested resource wasn't available).
Downgrading java-jsvc to the last known working version (1.0.6) solved the issue.

The Issue also affects Tomcat 7. Please see below link to my post on Arch's forums for greater detail, incl. a dump of catalina.err and a corroborating post from another Arch user.

https://bbs.archlinux.org/viewtopic.php?id=125943

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (DAEMON-217) Tomcat 6 and 7 Won't Start Due to Permissions Issue

ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/DAEMON-217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13102951#comment-13102951 ]

Mladen Turk commented on DAEMON-217:
------------------------------------

With 1.0.7 we fixed a security issue (CVE-2011-2729)
As you can see the fix works :)

I suppose your jsvc is linked to libcap so that's the
reason. Previous versions have wrongly left the jvm
with the elevated capabilities, which is security issue
and allows to write to the place where the -user (tomcat)
shouldn't. You can easily check that by running the
catalina.sh directly as tomcat user (without jsvc).
It will fail at the same place.


> Tomcat 6 and 7 Won't Start Due to Permissions Issue
> ---------------------------------------------------
>
>                 Key: DAEMON-217
>                 URL: https://issues.apache.org/jira/browse/DAEMON-217
>             Project: Commons Daemon
>          Issue Type: Bug
>          Components: Jsvc
>    Affects Versions: 1.0.7
>         Environment: Arch Linux x86-32
>            Reporter: Aimelyne Mochiron
>            Priority: Blocker
>
> I upgraded java-jsvc to the next version available from Arch (1.0.7) as part of a routine box-wide upgrade. From that point, Tomcat started complaining that it didn't have the right permissions to read either manager.xml or host-manager.xml, under /etc/tomcat6/Catalina/localhost/. Perms look OK though: Catalina's mode is 0755 for tomcat:tomcat, so is localhost's; manager.xml and host-manager.xml, under localhost, are both 0644 for tomcat:tomcat. /etc/tomcat6/ is set to mode 0770 for root:root, which was the case previously as well. Nothing appears to have changed on that front as part of the upgrade.
> Tomcat failed to deploy the web application directory host-manager (dixit catalina.err), and as a result I couldn't access the manager app anymore (got a 404 error page telling me the requested resource wasn't available).
> Downgrading java-jsvc to the last known working version (1.0.6) solved the issue.
> The Issue also affects Tomcat 7. Please see below link to my post on Arch's forums for greater detail, incl. a dump of catalina.err and a corroborating post from another Arch user.
> https://bbs.archlinux.org/viewtopic.php?id=125943

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (DAEMON-217) Tomcat 6 and 7 Won't Start Due to Permissions Issue

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/DAEMON-217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13103429#comment-13103429 ]

Aimelyne Mochiron commented on DAEMON-217:
------------------------------------------

Thanks for your post. jsvc in Arch is linked against libcap indeed; running 'ldd /usr/bin/jsvc' returns:

        linux-gate.so.1 =>  (0xb7839000)
        libdl.so.2 => /lib/libdl.so.2 (0xb781f000)
        libpthread.so.0 => /lib/libpthread.so.0 (0xb7804000)
        libcap.so.2 => /lib/libcap.so.2 (0xb77ff000)
        libc.so.6 => /lib/libc.so.6 (0xb7696000)
        /lib/ld-linux.so.2 (0xb783a000)
        libattr.so.1 => /lib/libattr.so.1 (0xb7690000)

As for running catalina.sh as user tomcat, it fails more completely than using Arch's startup script (which uses jsvc): Tomcat doesn't start at all.

> Tomcat 6 and 7 Won't Start Due to Permissions Issue
> ---------------------------------------------------
>
>                 Key: DAEMON-217
>                 URL: https://issues.apache.org/jira/browse/DAEMON-217
>             Project: Commons Daemon
>          Issue Type: Bug
>          Components: Jsvc
>    Affects Versions: 1.0.7
>         Environment: Arch Linux x86-32
>            Reporter: Aimelyne Mochiron
>            Priority: Blocker
>
> I upgraded java-jsvc to the next version available from Arch (1.0.7) as part of a routine box-wide upgrade. From that point, Tomcat started complaining that it didn't have the right permissions to read either manager.xml or host-manager.xml, under /etc/tomcat6/Catalina/localhost/. Perms look OK though: Catalina's mode is 0755 for tomcat:tomcat, so is localhost's; manager.xml and host-manager.xml, under localhost, are both 0644 for tomcat:tomcat. /etc/tomcat6/ is set to mode 0770 for root:root, which was the case previously as well. Nothing appears to have changed on that front as part of the upgrade.
> Tomcat failed to deploy the web application directory host-manager (dixit catalina.err), and as a result I couldn't access the manager app anymore (got a 404 error page telling me the requested resource wasn't available).
> Downgrading java-jsvc to the last known working version (1.0.6) solved the issue.
> The Issue also affects Tomcat 7. Please see below link to my post on Arch's forums for greater detail, incl. a dump of catalina.err and a corroborating post from another Arch user.
> https://bbs.archlinux.org/viewtopic.php?id=125943

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
Reply | Threaded
Open this post in threaded view
|

[jira] [Resolved] (DAEMON-217) Tomcat 6 and 7 Won't Start Due to Permissions Issue

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

     [ https://issues.apache.org/jira/browse/DAEMON-217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Mladen Turk resolved DAEMON-217.
--------------------------------

    Resolution: Not A Problem

Closing the issue although users can expect this kind of behaviour to happen. With recent security fixes jsvc doesn't grant the jvm extra file capabilities any more. Users must ensure tha -user has enough privileges to create/read files.

> Tomcat 6 and 7 Won't Start Due to Permissions Issue
> ---------------------------------------------------
>
>                 Key: DAEMON-217
>                 URL: https://issues.apache.org/jira/browse/DAEMON-217
>             Project: Commons Daemon
>          Issue Type: Bug
>          Components: Jsvc
>    Affects Versions: 1.0.7
>         Environment: Arch Linux x86-32
>            Reporter: Aimelyne Mochiron
>            Priority: Blocker
>
> I upgraded java-jsvc to the next version available from Arch (1.0.7) as part of a routine box-wide upgrade. From that point, Tomcat started complaining that it didn't have the right permissions to read either manager.xml or host-manager.xml, under /etc/tomcat6/Catalina/localhost/. Perms look OK though: Catalina's mode is 0755 for tomcat:tomcat, so is localhost's; manager.xml and host-manager.xml, under localhost, are both 0644 for tomcat:tomcat. /etc/tomcat6/ is set to mode 0770 for root:root, which was the case previously as well. Nothing appears to have changed on that front as part of the upgrade.
> Tomcat failed to deploy the web application directory host-manager (dixit catalina.err), and as a result I couldn't access the manager app anymore (got a 404 error page telling me the requested resource wasn't available).
> Downgrading java-jsvc to the last known working version (1.0.6) solved the issue.
> The Issue also affects Tomcat 7. Please see below link to my post on Arch's forums for greater detail, incl. a dump of catalina.err and a corroborating post from another Arch user.
> https://bbs.archlinux.org/viewtopic.php?id=125943

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira