Le 1/12/2016 à 21:49, paul.sz...@sydney.edu.au a écrit : > Sorry for my previous outbursts. I was wrong.
No problem, thanks a lot for the review. > However... will tomcat still "work"? On my machine, I have one XML file > /etc/tomcat8/Catalina/localhost/mapleta.xml > in there, for the one application(?) that is installed. I guess it was > tomcat that put it there: then tomcat needs write access to localhost. That's a good question, and I think it should be ok. Tomcat copies the META-INF/context.xml file from the web application into this directory and renames it if the Host element in server.xml has the copyXML attribute set to true (the default value is false). When copyXML is true and the directory is read-only an error is displayed in catalina.out and the web application is not loaded. The error looks like this: Error deploying web application directory /var/lib/tomcat8/webapps/foo java.nio.file.AccessDeniedException: /etc/tomcat8/Catalina/localhost/foo.xml The copyXML attribute was introduced in Tomcat 7, with Tomcat 6 the context.xml file was always copied (the behavior was thus equivalent to copyXML=true in later releases). In your case I guess you either inherited the mapleta.xml file from a Tomcat 6 installation migrated to Tomcat 7/8, put the file there manually and forgot about it, or have copyXML=true in server.xml. I'm not sure about the use case for copyXML=true. Once the context.xml file has been copied, the original file is always ignored, even if the web application is updated with a more recent context descriptor. Thus the first deployment of the application blocks any subsequent change to the context descriptor. That's a bit odd and I'd be interested to know why people are doing this. The use of context descriptors in /etc/tomcat8/Catalina/localhost is a valid strategy to override the default configuration of the web application, but the creation of this file is necessarily a manual operation, an automatic copy brings nothing useful. Due to the fact that copyXML defaults to false, and copyXML=true looks dubious, I think it's ok to keep the localhost directory ready-only for the tomcat8 user. > Maybe /etc/tomcat8/Catalina/localhost is to be "delivered" writable from > the DEB package, the ownership only to be fixed in postinst? In the > current DEB, that directory is not group-writable. This is worth trying. The catch is that other packages also install files into /etc/tomcat8/Catalina/localhost, so they all have to set the permissions properly. I'll probably go down this path if someone has a good argument supporting the use of copyXML=true. Emmanuel Bourg