I have a Java webapp that runs under Apache Tomcat on Ubuntu Linux. When I upgraded from Tomcat 9 from Tomcat 8, the application was no longer able to write log files to /var/log/myapp. I can't figure out why it doesn't have permission to log to this location.
My first thought was that the user changed. Tomcat 8 ran under the tomcat8:tomcat8 user. Tomcat 9 runs under tomcat:tomcat user. I updated the directory with those permissions. Both the tomcat user and tomcat group have write permission.
I also checked the write and execute permissions of that directory. That directory has write and execute permissions, and all parent directories have execute permissions.
/var/log/myapp/ drwxrwxr-x tomcat tomcat
/var/log drwxrwxr-x root syslog
/var drwxr-xr-x root root
/ drwxr-xr-x root root
If I run the following code under my web application
File logdir = new File("/var/log/myapp");
setAttribute("debug",
"<br>user: " + System.getProperty("user.name") +
"<br>execute: " + logdir.canExecute() +
"<br>read: " + logdir.canRead() +
"<br>write: " + logdir.canWrite()
);
it prints out that there is no write permission
user: tomcat
execute: true
read: true
write: false
If I run similar code in a main method as the tomcat user
File logdir = new File("/var/log/myapp");
System.out.println("\n user: " + System.getProperty("user.name") +
"\n execute: " + logdir.canExecute() +
"\n read: " + logdir.canRead() +
"\n write: " + logdir.canWrite()
);
It prints that it has write permission
user: tomcat
execute: true
read: true
write: true
I've exhausted all the debugging that I know how to do. What is preventing my web application from writing to this directory under tomcat 9? What do I need to do to fix it.
Best Answer
This is caused by new systemd sandboxing around tomcat 9 as part of Debian/Ubuntu. To solve the problem you need to tell systemd to allow read write access to additional directories for Tomcat.
After making these changes, web apps can once again write to their own directories in
/var/log.Source: Debian Tomcat 9 release notes