The /opt/tomcat5, /var/log/tomcat5, and /etc/tomcat5 directories are all owned by root. This prevents tomcat from starting. I also had to update the home directory for the tomcat user from /opt/tomcat to /opt/tomcat5. Reproducible: Always Steps to Reproduce: 1. Executed the /etc/init.d/tomcat start command. Actual Results: When I attempt to start tomcat with the following command: /etc/init.d/tomcat5 start, I get the following error: wildstar root # /etc/init.d/tomcat5 start * Starting Tomcat... Unable to cd to "/opt/tomcat5" I executed the following commands: wildstar root # chown -R tomcat /opt/tomcat5 wildstar root # chgrp -R tomcat /opt/tomcat5 Then tried to start tomcat again. wildstar root # /etc/init.d/tomcat5 start * Starting Tomcat... Using CATALINA_BASE: /opt/tomcat5 Using CATALINA_HOME: /opt/tomcat5 Using CATALINA_TMPDIR: /opt/tomcat5/temp Using JAVA_HOME: /opt/sun-jdk-1.4.2.05 touch: cannot touch `/opt/tomcat5/logs/catalina.out': Permission denied /opt/tomcat5/bin/catalina.sh: line 225: /opt/tomcat5/logs/catalina.out: Permission denied I executed the following commands: wildstar root # chown -R tomcat /var/log/tomcat5 wildstar root # chgrp -R tomcat /var/log/tomcat5 I tried to start tomcat again, but this time got a message that it was already started. wildstar root # chown -R tomcat /var/log/tomcat5 wildstar root # chgrp -R tomcat /var/log/tomcat5 wildstar root # /etc/init.d/tomcat5 start * WARNING: "tomcat5" has already been started. wildstar root # I stopped tomcat and got the following error: wildstar root # /etc/init.d/tomcat5 stop * Stopping Tomcat... Using CATALINA_BASE: /opt/tomcat5 Using CATALINA_HOME: /opt/tomcat5 Using CATALINA_TMPDIR: /opt/tomcat5/temp Using JAVA_HOME: /opt/sun-jdk-1.4.2.05 Catalina.stop: java.io.FileNotFoundException: /opt/tomcat5/conf/server.xml (Permission denied) java.io.FileNotFoundException: /opt/tomcat5/conf/server.xml (Permission denied) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.<init>(FileInputStream.java:106) at org.apache.catalina.startup.Catalina.stopServer(Catalina.java:396) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:333) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:424) I executed the following commands to change ownership of the /etc/tomcat5 directory. wildstar root # chown -R tomcat /etc/tomcat5 wildstar root # chgrp -R tomcat /etc/tomcat5 After making these changes, I was able to start Tomcat without a problem. Expected Results: Tomcat should have started without generating any permissions errors. Portage 2.0.50-r9 (default-x86-1.4, gcc-3.3.4, glibc-2.3.4.20040619-r0, 2.6.7-gentoo-r11) ================================================================= System uname: 2.6.7-gentoo-r11 i686 Intel(R) Pentium(R) 4 Mobile CPU 2.00GHz Gentoo Base System version 1.5.1 Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.5-r1 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-O3 -mcpu=pentium4 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /etc/tomcat /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.1/share/config /usr/kde/3.2/share/config /usr/kde/3.3/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -mcpu=pentium4 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs buildpkg ccache sandbox" GENTOO_MIRRORS="ftp://gentoo.mirrors.pair.com/ http://www.gtlib.cc.gatech.edu/pub/gentoo ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo http://gentoo.mirrors.pair.com/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /usr/local/bmg-gnome-current /usr/local/bmg-main" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X alsa apm arts avi berkdb bonobo cdr crypt cups dvd encode esd foomaticdb gdbm gif gnome gpm gtk gtk2 gtkhtml guile imlib java jpeg kerberos krb4 libg++ libwww mad mikmod motif mozilla mpeg mysql ncurses nls oggvorbis opengl oss pam pcmcia pdflib perl png python quicktime readline scanner sdl slang spell ssl svga tcpd truetype x86 xml2 xmms xv zlib"
First /etc/init.d/tomcat is from the previes ebuild and was left behind by CONFIG_PROTECT please remove it (added a warning to the ebuild) use /etc/init.d/tomcat5 to start it i changed the way it is started, it should no longer need a valid homedir, unless i'm missing something, also changed the default homedir to /dev/null this should fix most of your problems i however cannot find why it didn't chown tomcat:tomcat your files
I changed the home directory for my tomcat user to /dev/null by modifying the /etc/passwd file. When I try to start/stop tomcat (using the /etc/init.d/tomcat5 start/stop commands), I get the following error: wildstar etc # /etc/init.d/tomcat5 stop * Stopping Tomcat... Unable to cd to "/dev/null" [ ok ]wildstar etc # /etc/init.d/tomcat5 start * Starting Tomcat... Unable to cd to "/dev/null" [ !! ] Tomcat doesn't start.
did you emerge tomcat again? i changed the init script without a revision bump
bumped it
I removed tomcat (emerge -U net-www/tomcat) and then removed the following directories: /etc/tomcat5 /opt/tomcat5 /var/log/tomcat5 I also removed the tomcat user account. I then ran "emerge net-www/tomcat" which installed tomcat again. Permissions are still being a problem that prevent tomcat from starting. After the latest emerge, the following directories /etc/tomcat5 /opt/tomcat5 /var/log/tomcat5 are all owned by root. The following is the result of attempting to start tomcat. wildstar opt # /etc/init.d/tomcat5 start * Starting Tomcat... start-stop-daemon: Unable to start /opt/tomcat5/bin/catalina.sh: Permission denied After issuing the following commands: chown -R tomcat /opt/tomcat5 /etc/tomcat5 /var/log/tomcat5 chgrp -R tomcat /opt/tomcat5 /etc/tomcat5 /var/log/tomcat5 I am able to start and access the default tomcat root page without a problem.
Same issue here.
I just did a fresh install of tomcat-5.0.27-r2, on a fresh system. Permissions seems to be fixed except for /etc/tomcat5. Those files are still unreadeable by tomcat because they belongs to root:root and have 0600 perms. I manualy changed their ownership to root:tomcat and perms to 0660. /etc/tomcat5 itself needs to be updated as tomcat need write access to it (tomcat-users.xml temp file, and admin webapp i presume). Waiting for -r3 ;) (to see if it's the right way to fix it).
Hmmm I wonder what is going on with my machine. I just installed the r2 version and the following directories /opt/tomcat5 /var/log/tomcat5 are still owned by root. Prior to emerging the r2 version of tomcat, I did the following: emerge -C tomcat rm -rf /opt/tomcat5 rm -rf /var/log/tomcat5 rm -rf /etc/tomcat5 rm /etc/conf.d/tomcat5 I then removed the tomcat user from /etc/passwd. I emerged tomcat and the permissions still aren't set correctly, so I'm not seeing the same thing that Yoann is seeing with the r2 ebuild.
Created attachment 36882 [details] Output of emerge -d tomcat Attached is a copy of the stderr and stdout obtained while emerging tomcat.
I see lines 2343 and 2344 of the attached: chown -R tomcat:tomcat /var/tmp/portage/tomcat-5.0.27-r2/image//opt/tomcat5 chown -R tomcat:tomcat /var/tmp/portage/tomcat-5.0.27-r2/image//var/log/tomcat5 I just don't see where those files are moved to their homes on the root file system.
i believe this is fixed in tomcat-3.3.2-r2 tomcat-4.1.30-r4 tomcat-5.0.27-r3
It is, at least in 5.0.27-r3. No more startup problem here. But i think there is still a security problem : /etc/tomcat5/ and /etc/tomcat5/tomcat-users.xml are both world-readable. The ebuild specify 640 for this file, which is ok, but tomcat will recreate it at (every) startup... with 644 perms. So anybody with a valid account on the box is able to see those passwords, as soon as tomcat has been ever started up. 2 solutions here i think: a. change umask for tomcat (not sure about that, must have side effects for webapps) b. change /etc/tomcat5 to 660 or 600 Maybe i should have created a new bugzilla item for that, not sure. I'll do it if you want. Just tell me. cosmetics: there is a chown against /usr/share/docs that fails when -doc is used.
Created attachment 36898 [details, diff] 5.0.27-r3 to r4 diff
Created attachment 36903 [details, diff] 5.0.27-r3 to r4 diff Mmmmm, well that chown was failing even with +doc, and "use doc && chown..." was wrong anyway, as there will be dodoc of READMEs even with -doc. So i change the target of the chown ($PF instead of $TOMCAT_NAME)
fixed the doc chown, thanks
/etc/tomcat* is now 750 too
Thanks for the report & follow ups, i believe everything is correct now, closing
