JIRA's dedicated user requires write access to Tomcat's conf folder

For our production JIRA installation, I was following the instructions at: Installing JIRA applications from an archive file on Windows, Linux or Solaris

  • I created a non system user for the JIRA installation files called: "jira"
  • I create a non system user for running the JIRA tomcat instance called: "jira-tomcat"
  • The "jira" user is a member of the "jira-tomcat" group and vice versa
  • The "jira" user has a umask of 0027
  • I've configured the user.sh script to define: JIRA_USER="jira-tomcat"
  • I've granted the "jira-tomcat" user ownership + write access to the Tomcat's log/temp and work folders as well as the JIRA home folder containing the JIRA data files.
  • I've configured the "jira" user to sudo as the "jira-tomcat" user without password: 

    jira   ALL=(jira-tomcat) NOPASSWD: ALL
    Defaults:jira !requiretty
  • I start JIRA as the "jira" user using the following command: 

    sudo -u jira-tomcat -s ./start-jira.sh

 

My issue is that when JIRA starts, it displays a SEVERE error in the catalina.out file saying:

30-Sep-2016 12:35:36.917 SEVERE [Catalina-startStop-1] org.apache.catalina.startup.HostConfig.start Unable to create directory for deployment: /opt/home/jira/atlassian-jira-software-7.0.11-standalone/conf/Catalina/localhost

 

JIRA seems to be working fine but it seems that the "jira-tomcat" user needs WRITE access to conf folder to be able to create the "Catalina/localhost" folder.

Is this correct or could the documentation be updated to advise that this folder should be pre-created before starting JIRA to avoid the SEVERE error?

1 answer

Are you running other Tomcat containers besides JIRA on your instance, or what is the reason you split up JIRA and JIRA-tomcat? I use a non privileged user (jira) for running JIRA and don't really distinguish between the rights of Tomcat versus the right of Jira. In front of that we have a rewrite proxy that terminates SSL and redirects port 80/443 to the high port of Jira.

With this said, my JIRA instance is not facing the internet, so i don't have to calculate in that external attack vector.

>Are you running other Tomcat containers besides JIRA on your instance

JIRA is running in the Tomcat container that comes with its installation bundle. There are no other webapps running in that container. I have not split up JIRA. Sorry for the misunderstanding.

 

>I use a non privileged user (jira) for running JIRA and don't really distinguish between the rights of Tomcat versus the right of Jira.

 

I thought Atlassian may have had a security reason for running the Tomcat container as a user separate from the user that owns the JIRA installation files. I assumed it was to limit the impact of what the Tomcat user can access if compromised. I agree its easier to simply use a single non priv. user. I may have over thought the installation instructions.

 

>In front of that we have a rewrite proxy that terminates SSL and redirects port 80/443 to the high port of Jira.

Yes, I have a similar setup.

 

>my JIRA instance is not facing the internet

Unfortunately, for the moment our instance is facing the internet. In the future we will IP restrict it.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 27, 2018 in Portfolio for Jira

Introducing a new planning experience in Portfolio for Jira (Server/DC)

In the past, Portfolio for Jira required a high degree of detail–foresight that was unrealistic for many businesses to   have–in   order to produce a reliable long-term roadmap. We're tur...

2,938 views 19 22
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you