Hello, thanks for the report.
On Thu, 16 Sep 2021 08:17:29 +0200 Martin van Es <mar...@mrvanes.com> wrote: > Package: jetty9 > Version: 9.4.16-0+deb10u1 > Severity: important > > On a default jetty9 install, the systemd unit file restricts readwrite > operations to /var/lib/jetty9/ using the systemd ProtectSystem and > ReadWritePaths options. > > The complaint is that this is way too strict for normal operation and daily > use of jetty. E.g. when roughly following the installation instructions for a > popular SAML IdP Shibboleth [1] the default installation directory is /opt/ > shibboleth-idp, called idp.home. The default logfiles and metadata directory > are %{idp.home}/logs and %{idp.home}/metadata, which prevents Shibboleth from > correctly logging messages and saving metadata after start. > > Especially not being able to log to ${idp.home}/log made debugging this > problem extremely hard and time consuming. The solution/work-around was to > create an override unit for jetty9 that disables ProtectSystem(=no) and > ReadWritePaths(=) > > Please reconsider the ProtectSystem option in jetty9's systemd unit file. > > Best regards, > Martin The security settings are intentional and compatible with other Debian system packages. Web applications should be installed into /var/lib/jetty9/webapps. If your use case requires read or write access to different paths then you can create an override.conf file in /etc/systemd/system/jetty9.service.d/ containing: [Service] ReadWritePaths=/path/to/the/directory/ This is the recommended way to override systemd settings. We do not intend to diverge from the default security settings because these prevent possible exploits and yet undiscovered security vulnerabilities. I have clarified the override mechanism in README.Debian and I am going to close this bug report now. Regards, Markus
signature.asc
Description: This is a digitally signed message part