Amazon EC2 – Permission Denied While Deploying Tomcat 8 Webapp

14.04amazon ec2javatomcat

I can't find how I can get write and read permission into the tomcat folder.

I followed DigitalOcean's tutorial on setting up Tomcat. The only thing I did different is that I used Java 8 instead of 7, but I don't think that this is causing the issue.

When I log into the tomcat web application manager and upload the war I get following error:

FAIL – Deploy Upload Failed, Exception: /opt/tomcat/webapps/SimpleServlet.war (Permission denied)

When I use Filezilla to connect to EC2 and I want to drop the file into webapps folder:

Error: /opt/tomcat/webapps/SimpleServlet.war: open for write: permission denied
Error: File transfer failed

The output of ls -la /opt/tomcat/webapps is:

total 28
drwxr-xr-x  7 root root 4096 Nov 20 09:19 .
drwxr-xr-x  9 root root 4096 Nov 28 16:34 ..
drwxr-xr-x 14 root root 4096 Nov 28 16:34 docs
drwxr-xr-x  6 root root 4096 Nov 28 16:34 examples
drwxr-xr-x  5 root root 4096 Nov 28 16:34 host-manager
drwxr-xr-x  5 root root 4096 Nov 28 16:34 manager
drwxr-xr-x  3 root root 4096 Nov 28 16:34 ROOT

but this is the folder structure that can be seen in FileZilla

Image filezilla ec2 structure

On the tutorial I followed this step:

Then create a new tomcat user. We'll make this user a member of the tomcat group, with a home directory of /opt/tomcat (where we will install Tomcat), and with a shell of /bin/false (so nobody can log into the account):

sudo useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat

Could this be the problem?

Best Answer

/opt/tomcat is declared to be the home directory of the tomcat user, but belongs to the root user (with the tomcat user not having write permissions).

Scrubbing the tutorial, especially the permissions section, I have mixed feelings towards the quality of the tutorial. It speaks about "giv[ing] the tomcat user write access to the conf directory" while changing the folder's permissions. Not having write permissions for the web application server's user to the software ran seems reasonable for production use (an attacker exploiting the tomcat process will not be able to modify software), this will also prevent you from deploying applications from withing the tomcat web application manager.

I'd go for setting up tomcat as the webapps group:

chgrp -R tomcat /opt/tomcat/webapps

and when you need to deploy new applications, add write permissions for that group:

chmod -R g+w /opt/tomcat/webapps

which you remove again after deployment:

chmod -R g-w /opt/tomcat/webapps

(you will need to run those commands with super user privileges, so prefix sudo as needed). This would also fit the Tomcat Security Considerations HowTo.