IDP 4.3.1 Ubuntu 22.04/Tomcat 9 - No Access to App Subdirectories

Peter Schober peter.schober at
Tue Jun 27 13:10:08 UTC 2023

* Ullfig, Roberto Alfredo <rullfig at> [2023-06-27 14:31]:
> Yes I reloaded. I've been doing this for over a decade.

You shouldn't feel offended by someone trying to help you fix your problems.
And it's not like the most experienced of admins are incapable of
making simple mistakes. Maybe you're the exception, of course.

> Do you know where systemd logs denied write access because I can't
> see that logged anywhere.

I'm not aware that it does but that doesn't mean anything.
The systemd docs (or code) would tell you. Sorry if you already knew
that as well. (Hard to tell which suggestions are OK and which are not
because you know all that.)

> I only figured out to enable write access to the log from someone
> else's post.

That specific issue only occurs when someone is using a distribution
of Tomcat that's explicitly not supported by the Shibboleth project:

  "We also do not officially support any "packaged" containers provided
  by OS vendors. We do not test on these containers so we cannot
  assess what changes may have been made by the packaging process [...]"

I've personally reported about this issue and how to work around it
several times on this list, at least 3 times in 2020 alone, back when
this issue initially came up (by Debian and derivatives introducing
these additional hardening mechanisms in their tomcat packaging):

> It could be that tomcat is opening the directories R/W even though
> it doesn't need to write to them.

I never had to add any ReadWritePaths to make the IDP's default of
/idp/images/ work, which maps to the war in $IDP_HOME/war/idp.war or
an extracted copy thereof, which on Debian & friends would end up in
/var/lib/tomcat9/webapps/idp/ -- and /var/lib/tomcat9/webapps/ is
included in the default ReadWritePaths as distributed by Debian and

So no manual config changes would be needed to make the images
directory of the default IDP distribution work here, IMO.

Not even when putting those images into the ROOT context (which is the
alternative Keith W. suggested and what I'm using myself), outside of
the IDP's war mechanism, which on Debian & friends is in
/var/lib/tomcat9/webapps/ROOT/ and so still included in the default
systemd service's ReadWritePaths as well.


More information about the users mailing list