How to grant Tomcat 9 access on other files

Question

Tomcat 9 is sandboxed.

I want to read data of a log file.

The file is in "/opt/zigbee2mqtt/data/."

I read this thread already and tried it. How to allow Tomcat war app to write in folder

I edited the file, and did systemctl daemon-reload as well as systemctl restart tomcat9.

Then I wrote my java class with should read the data out of the log file. But I get an exception.

java.io.FileNotFoundException: /opt/zigbee2mqtt/data/configuration.yaml (Permission denied)
        at java.base/java.io.FileOutputStream.open0(Native Method)
        at java.base/java.io.FileOutputStream.open(FileOutputStream.java:298)
        at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:237)
        at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:187)
        at com.fasterxml.jackson.dataformat.yaml.YAMLFactory.createGenerator(YAMLFactory.java:437)
        at com.fasterxml.jackson.databind.ObjectMapper.createGenerator(ObjectMapper.java:1156)
        at com.fasterxml.jackson.databind.ObjectMapper.writeValue(ObjectMapper.java:3570)
        at zigbee.main.doupdateconfiguration(main.java:81)
        at Servlet.configuration.doPost(configuration.java:72)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.filters.ExpiresFilter.doFilter(ExpiresFilter.java:1226)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1415)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:834)

I think if I change something with chmod or chown, but maybe the Zigbee service won't work? I am not the Linux expert. I don't want to do anything wrong or insecure.

root@raspberrypi:/opt/zigbee2mqtt/data# ls -halt
total 24K
drwxr-xr-x  6 pi pi 4.0K May 12 09:17 log
drwxr-xr-x  3 pi pi 4.0K May 10 18:31 .
-rw-r--r--  1 pi pi 4.0K May 10 18:31 database.db
-rw-rw-r--  1 pi pi  360 May 10 18:31 state.json
-rw-rw-r--  1 pi pi  330 May 10 17:23 configuration.yaml
drwxr--r-- 12 pi pi 4.0K May 10 11:16 ..

What would be the best solution that Tomcat 9 can read the file and Zigbee can update it either?

Update:

root@raspberrypi:/opt/zigbee2mqtt/data# ll
total 24K
-rw-rw-r--  1 pi webservice  360 May 13 22:03 state.json
drwxrw-r-x  6 pi webservice 4.0K May 12 09:17 log
drwxr-xr-x  3 pi pi         4.0K May 10 18:31 .
-rw-rw-r--  1 pi webservice 4.0K May 10 18:31 database.db
-rw-rw-r--  1 pi webservice  330 May 10 17:23 configuration.yaml
drwxr--r-- 12 pi pi         4.0K May 10 11:16 ..
root@raspberrypi:/opt/zigbee2mqtt/data# id tomcat
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat),1002(webservice)

Extraxt of: /etc/systemd/system/tomcat9.service.d/override.conf

[Service]
ReadWritePaths=/usr/local/jakarta-tomcat/webapps/smartzig/_x_logs/
ReadWritePaths=/opt/zigbee2mqtt/data/
ReadWritePaths=/opt/zigbee2mqtt/
ReadWritePaths=/opt/

Answer 1

Add the tomcat to a group and grant this group the required access to that files, i.g. you can create a group called webserver. Then restart tomcat and try again.

Steps

1. Create a new group

   sudo groupadd webserver
   

2. Add tomcat9 user to group webserver

   sudo usermod -a -G webserver tomcat9
   

3. Change group ownership

   sudo chgrp webserver configuration.yaml
   

4. Add read and write permission to file

   sudo chmod g=rw configuration.yaml
   

5. Restart tomcat

   sudo systemctl restart tomcat9
   

Update the group ownership of the directories (that contains the files) by adding the permissions to it

sudo chgrp webserver /opt/zigbee2mqtt/data/
sudo chgrp webserver /opt/zigbee2mqtt/ 

sudo chmod g=rwx /opt/zigbee2mqtt/data/
sudo chmod g=rwx /opt/zigbee2mqtt/

Answer 2

The permissions of the yaml file are "-rw-rw-r--" which reads left to right

• the owner of the file can read and write (not execute)
• the group of the owner of the file can read and write (not execute)
• everyone else can read the file

So, it depends on which user is running the tomcat process if you can write to the file. But everyone should be able to read the file. If you can't read the file then you probably opening the file in read/write mode instead of read mode

You could chmod 666 the file to change the permissions to "-rw-rw-rw-"