Permission denied while doplying Tomcat 8 webapp on Amaon EC2

java amazon-ec2 14.04 tomcat

I can't find how I can get write and read permission into the tomcat folder.

I followed DigitalOcean's tutorial on setting up Tomcat. The only thing I did different is that I used Java 8 instead of 7, but I don't think that this is causing the issue.

When I log into the tomcat web application manager and upload the war I get following error:

FAIL - Deploy Upload Failed, Exception: java.io.FileNotFoundException: /opt/tomcat/webapps/SimpleServlet.war (Permission denied)

When I use Filezilla to connect to EC2 and I want to drop the file into webapps folder:

Error: /opt/tomcat/webapps/SimpleServlet.war: open for write: permission denied
Error: File transfer failed

The output of ls -la /opt/tomcat/webapps is:

total 28
drwxr-xr-x  7 root root 4096 Nov 20 09:19 .
drwxr-xr-x  9 root root 4096 Nov 28 16:34 ..
drwxr-xr-x 14 root root 4096 Nov 28 16:34 docs
drwxr-xr-x  6 root root 4096 Nov 28 16:34 examples
drwxr-xr-x  5 root root 4096 Nov 28 16:34 host-manager
drwxr-xr-x  5 root root 4096 Nov 28 16:34 manager
drwxr-xr-x  3 root root 4096 Nov 28 16:34 ROOT

but this is the folder structure that can be seen in FileZilla

Image filezilla ec2 structure

On the tutorial I followed this step:

Then create a new tomcat user. We'll make this user a member of the tomcat group, with a home directory of /opt/tomcat (where we will install Tomcat), and with a shell of /bin/false (so nobody can log into the account):

sudo useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat

Could this be the problem?


/opt/tomcat is declared to be the home directory of the tomcat user, but belongs to the root user (with the tomcat user not having write permissions).

Scrubbing the tutorial, especially the permissions section, I have mixed feelings towards the quality of the tutorial. It speaks about "giv[ing] the tomcat user write access to the conf directory" while changing the folder's permissions. Not having write permissions for the web application server's user to the software ran seems reasonable for production use (an attacker exploiting the tomcat process will not be able to modify software), this will also prevent you from deploying applications from withing the tomcat web application manager.

I'd go for setting up tomcat as the webapps group:

chgrp -R tomcat /opt/tomcat/webapps

and when you need to deploy new applications, add write permissions for that group:

chmod -R g+w /opt/tomcat/webapps

which you remove again after deployment:

chmod -R g-w /opt/tomcat/webapps

(you will need to run those commands with super user privileges, so prefix sudo as needed). This would also fit the Tomcat Security Considerations HowTo.

Related

How do I stop xscreensaver during movies play?
How to start lightdm services at startup
How do I create an application launcher without coding?
How to give a specific user access only to a specific folder and its contents?
Thinkpad w540 w/ Ultra Dock only one external monitor works
How do I adjust the screen brightness on an Acer Aspire One D270?
Is there a log of all activity I could open in terminal?
Ubuntu Software-center: no permission to install software
Low resolution on Lubuntu 14.04 (Sis)
How to install KDE Plasma without installing full Kubuntu Desktop?
"error while loading shared libraries: libGL.so.1: wrong ELF class: ELFCLASS32" installing ATI drivers
VirtualBox 4.3 Guest Additions on OSX guest [closed]