How to allow Tomcat war app to write in folder

Solution 1:

Let's start with: chmod 777 is great for testing, but absolutely unfit for the real world and you shouldn't get used to this setting. Rather set the owner/group correctly, before you give world write permissions.

Edit: A similar question just came up on the Tomcat mailing list, and Emmanuel Bourg pointed out that Debian Tomcat is sandboxed by systemd. Read your /usr/share/doc/tomcat9/README.Debian which contains this paragraph:

Tomcat is sandboxed by systemd and only has write access to the following directories:

  • /var/lib/tomcat9/conf/Catalina (actually /etc/tomcat9/Catalina)
  • /var/lib/tomcat9/logs (actually /var/log/tomcat9)
  • /var/lib/tomcat9/webapps
  • /var/lib/tomcat9/work (actually /var/cache/tomcat9)

    If write access to other directories is required the service settings have to be overridden. This is done by creating an override.conf file in /etc/systemd/system/tomcat9.service.d/ containing:

[Service]

ReadWritePaths=/path/to/the/directory/

The service has to be restarted afterward with:

  systemctl daemon-reload
  systemctl restart tomcat9

End of edit, continuing with the passage that didn't solve OP's problem, but should stay in:

If - all things tested - Tomcat should have write access to that directory, but doesn't have it, the error message points me to an assumption: Could it be that

  • Tomcat is running as root?
  • The directory is mounted through NFS?

The default configuration for NFS is that root has no permissions whatsoever on that external filesystem (or was it no write-permission? this is ancient historical memory - look up "NFS root squash" to get the full story)

If this is a condition that matches what you are running, you should stop running Tomcat as root, and rather run it as an unprivileged user. Then you can set the permissions on the directory in question to be writeable by your tomcat-user, and readable by nginx, and you're done.

Running Tomcat as root is a recipe for disaster: You don't want a process that's available from the internet to run as root.

If these conditions don't meet your configuration: Elaborate on the configuration. I'd still stand by this description for others who might find this question/answer later.