JIRA's dedicated user requires write access to Tomcat's conf folder

Jinesh Choksi September 30, 2016

For our production JIRA installation, I was following the instructions at: Installing JIRA applications from an archive file on Windows, Linux or Solaris

  • I created a non system user for the JIRA installation files called: "jira"
  • I create a non system user for running the JIRA tomcat instance called: "jira-tomcat"
  • The "jira" user is a member of the "jira-tomcat" group and vice versa
  • The "jira" user has a umask of 0027
  • I've configured the user.sh script to define: JIRA_USER="jira-tomcat"
  • I've granted the "jira-tomcat" user ownership + write access to the Tomcat's log/temp and work folders as well as the JIRA home folder containing the JIRA data files.
  • I've configured the "jira" user to sudo as the "jira-tomcat" user without password: 

    jira   ALL=(jira-tomcat) NOPASSWD: ALL
    Defaults:jira !requiretty
  • I start JIRA as the "jira" user using the following command: 

    sudo -u jira-tomcat -s ./start-jira.sh

 

My issue is that when JIRA starts, it displays a SEVERE error in the catalina.out file saying:

30-Sep-2016 12:35:36.917 SEVERE [Catalina-startStop-1] org.apache.catalina.startup.HostConfig.start Unable to create directory for deployment: /opt/home/jira/atlassian-jira-software-7.0.11-standalone/conf/Catalina/localhost

 

JIRA seems to be working fine but it seems that the "jira-tomcat" user needs WRITE access to conf folder to be able to create the "Catalina/localhost" folder.

Is this correct or could the documentation be updated to advise that this folder should be pre-created before starting JIRA to avoid the SEVERE error?

1 answer

0 votes
Jonas Andersson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 30, 2016

Are you running other Tomcat containers besides JIRA on your instance, or what is the reason you split up JIRA and JIRA-tomcat? I use a non privileged user (jira) for running JIRA and don't really distinguish between the rights of Tomcat versus the right of Jira. In front of that we have a rewrite proxy that terminates SSL and redirects port 80/443 to the high port of Jira.

With this said, my JIRA instance is not facing the internet, so i don't have to calculate in that external attack vector.

Jinesh Choksi September 30, 2016

>Are you running other Tomcat containers besides JIRA on your instance

JIRA is running in the Tomcat container that comes with its installation bundle. There are no other webapps running in that container. I have not split up JIRA. Sorry for the misunderstanding.

 

>I use a non privileged user (jira) for running JIRA and don't really distinguish between the rights of Tomcat versus the right of Jira.

 

I thought Atlassian may have had a security reason for running the Tomcat container as a user separate from the user that owns the JIRA installation files. I assumed it was to limit the impact of what the Tomcat user can access if compromised. I agree its easier to simply use a single non priv. user. I may have over thought the installation instructions.

 

>In front of that we have a rewrite proxy that terminates SSL and redirects port 80/443 to the high port of Jira.

Yes, I have a similar setup.

 

>my JIRA instance is not facing the internet

Unfortunately, for the moment our instance is facing the internet. In the future we will IP restrict it.

Suggest an answer

Log in or Sign up to answer