Tomcat not parsing .war symlinks

10
votes

I have a development machine I'd installed Tomcat on previously, and just run it as the same user who was doing dev work. I dropped a symbolic link in $CATALINA_HOME/webapps to the directory I built the WAR to, and every time I updated the build tomcat followed the symlink and extracted the new WAR. Never any problems.

But in preparation for moving it to a production machine I created a new user with restricted permissions and set tomcat up to run as that user, as you do for security reasons.

Now tomcat doesn't follow the symlink anymore, even when I give its user ownership of the WAR file and set permissions to 777. I'm not seeing anything come up in catalina.out or the daily log about what's going on, either.

It's just one more step to the test cycle to copy the WAR over, so this isn't too crucial, but I'm still curious as to what's going on.

Permissions on the webapps directory:

drwxr-xr-x 3 tomcat tomcat  4096 Dec 11 14:34 webapps

Permissions on the directory I'm building to:

drwxrwxr-x 11 tomcat   tomcat   4096 Dec 11 14:34 target

Permissions on the WAR file maven produces:

-rw-rw-r-- 1 tomcat tomcat 16822856 Dec 11 14:34 [webapp].war

Permissions on the symlink I create to it:

lrwxrwxrwx 1 tomcat tomcat 60 Dec 11 17:33 [webapp].war -> [webapp directory]/[webapp].war
2
javatomcat
What are the permissions in webapps folder?Italo Borssatto
drwxr-xr-x 3 tomcat tomcat 4096 Dec 11 12:30 webapps -- so 755Glazius
It's clear that is a permission problem. Can you give more details abaout the permissions in the folders (work, your symlink, bin, conf, etc.) and the user group of the user created?Italo Borssatto
Right, those are added. My dev account is actually alright to mess around with files owned by the tomcat user/group. Do you need more information? Is there somewhere I can look for a diagnostic of what's going wrong?Glazius
does $CATALINA_HOME/logs/catalina.log gives some hint? Does Tomcat try to deploy the war?Patrick

2 Answers

7
votes

I suspect the tomcat user does not have traversal permissions on one of the nested folders containing the real WAR file. As you said, he has permission on tomcat folders so he can start Tomcat and he can see that the symlink exists.

Maybe your build process creates the WAR file inside a private folder, let's say the home folder of the user glazius, and this prevents tomcat user from reading the file even if the file has the correct permissions attached.

You can easily use:

ls -Cf

inside your webapps folder to check the symlink color: if it's red tomcat user can't reach the file, if it's blue it should already work without any problems.

If it's red, ensure every folders to your WAR file have the traversal (x) permission on the other group. If for example the path is /home/glazius/workspace/target/webapp.war, execute these commands:

chmod o+x /home/glazius
chmod o+x /home/glazius/workspace
chmod o+x /home/glazius/workspace/target
1
votes

Give the new user write permission on $CATALINA_HOME/work.