Clarification on this after further research. It appears that after this update, the tomcat9 service is no longer honoring the sandbox settings in the systemd script. The service can write to the default folders like /var/log/tomcat9, but not to the custom folders I've specified in the systemd script as follows:
# Security User=tomcat Group=tomcat PrivateTmp=yes AmbientCapabilities=CAP_NET_BIND_SERVICE NoNewPrivileges=true CacheDirectory=tomcat9 CacheDirectoryMode=750 ProtectSystem=strict ReadWritePaths=/etc/tomcat9/Catalina/ ReadWritePaths=/var/lib/tomcat9/webapps/ ReadWritePaths=/var/log/tomcat9/ ReadWritePaths=/custom/path/here/ Tomcat is not given access to the /custom/path/here path. Also, changing ProtectSystem=strict to ProtectSystem=false has no effect. This setup was working before the update and hasn't changed for a fairly long time. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1967564 Title: libtomcat9-java and tomcat9-common 9.0.31-1ubuntu0.2 causes read-only file system for Tomcat To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1967564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs