Jetty bash script works only with root user

Question

I have installed Jetty 9 (latest version) by extracting the archive in /opt/jetty .

The start.jar runs fine, but I want the bash service bin/jetty.sh , to be run by a non-root user.

The issue I'm having with the bash script is that : when I dont specify a value for $JETTY_USER in /etc/default/jetty (it uses root user), Jetty works. But when I assign a value to it, Jetty fail with the message: Starting Jetty: FAILED , and no log.

So, how do I create a user that can run the jetty?

Answer 1

I know that this question is old, but since this behaviour bugged me recently as well, here it's my hint. In my case it was Jetty 8.x on Centos 6.5, and I had the exact similar behaviour: jetty starting flawlessly when launched on command line both as root and as the newly created jetty user, but failing to start whenever trying to run it as a service and specifying a user through the variable JETTY_USER in /etc/default/jetty. Logs were completely empty.

The trick in my case was that no directory was openly specified for logs in the JETTY_LOGS variable. When run directly as a user, when Jetty can't access a normal directory for logs it will try to create one for the user. With the startup script in Centos/RH systems, though, the process is ran by a 'su - -c "command" user' which seems to break that kind of behaviour. No complain is filed in the logs file, as the process breaks right when trying to access them, and both stdout and stderr are redirected to the logs.

To debug you exact permissions problem, try running the server through a "su -c" like the script does; the difference is that you will finally have your stderr on the console. And for the future, also manually create a jetty logs directory with the right permissions, and specify it inside the JETTY_LOGS variable: much less of an headache!

Answer 2

I faced the same issue. In my case I installed Jetty v 9.2.10.v201503 on pcDuino v3, Ubuntu 14.04 following step-by-step installation guidelines “Startup a Unix Service using jetty.sh” (see documentation on eclipse.org).

Since the steps are run as root, I ended up with mixed ownership (root and jetty) of files and directories in $JETTY_BASE directory.

I added JETTY_LOGS=$JETTY_BASE/logs and JETTY_USER=jetty to the /etc/default/jetty file and reissued chown –R jetty:jetty $JETTY_BASE.

After these steps Jetty runs under credentials of jetty user. Though it was pretty easy, I hope that this note might be useful for others who are not professional admins.

Answer 3

Your question seems a little bit mixed up, so it's not 100% clear what outcome you are actually looking for.

The steps you're taking won't work, and there's very little you can do to make them work, but if you can explain what outcome you're after, then we may offer an alternative.

The short answer is:

• If you set JETTY_USER then jetty.sh has to be run by root.
  Depending on your operating system it will either try to start the jetty daemon as JETTY_USER , or su to JETTY_USER , both of which assume you're running as root.

So, that path isn't going to work for you.

Here's what you can do:

If you simply want to run Jetty as a specific user (eg jetty )

• don't set JETTY_USER
• login in as jetty and run jetty.sh
• this requires that your jetty server is running under a non-privileged port (ie not port 80 )

If you want to be able to run on port 80 but not run as root

• turn on setuid
• start jetty.sh as the root user
• you might consider hooking it into your operating system's service framework (eg using init.d and service )

If you want all users (or some users) to start jetty, but have it run as 1 specific user

• Use one of the above options along with appropriate sudo rules

Answer 4

Check the ${jetty.home}/logs/start.log (or similarly named log file)

That will tell you why it failed.

Also, you might want to look into the optional setuid support.

http://www.eclipse.org/jetty/documentation/current/setuid.html

Answer 5

I faced the same issue; there was a right access problem on the directory /var/run/jetty/ and jetty was trying to write the logs in that directory.

A chmod 777 /var/run/jetty/ fixed the issue for me.

Answer 6

The problem is caused by no write access rights to the JETTY_RUN which by default is set to /var/run which is effectively regenerated and rights reset to root only on every restart (daemon init). Actually jetty.sh has JETTY_RUN covered such as:

..defaults to the first available of /var/run, /usr/var/run, JETTY_BASE and /tmp if not set.

but that wasn't working in my case. The solution is explicitly setting the JETTY_RUN within /etc/init.d/jetty pointing to the directory which jetty user(group) has write access to (ie /opt/jetty/temp ).

ps: Debian 8 vs Jetty 9.4

Answer 7

Several of the posted answers to this question are correct, and might be needed in combination. Also setting JETTY_USER can have some indirect requirements.

Running jetty as a user other than root requires correct permissions allowing that user access to certain files/directories/trees. Those filesystem objects include the <jetty-home> tree, and either /var/run/jetty or wherever JETTY_RUN , JETTY_START_LOG and JETTY_LOGS are set to if not left to default to /var/run/jetty .

Running jetty as a user by setting JETTY_USER (eg. JETTY_USER=jetty for running the OS service as non-root) also requires that OS user to have a valid shell (eg. /var/sh ) set in /etc/passwd. A good practice is to set that user to have an invalid shell (eg. /usr/sbin/nologin ), closing the security hole of this service user allowing a login. In that case the jetty startup environment must also set JETTY_SHELL (eg. JETTY_SHELL=/bin/sh ) providing a shell for the nonlogin session in which to execute the jetty executables.

These settings can be made in the service startup script (eg. /etc/init.d/jetty where they're commented out by default), but it's a better practice to set them in /etc/default/jetty , leaving the startup script alone because it contains logic and other content better left undisturbed.

Also note that running jetty as root, such as starting it as a service without changing the configured jetty runtime user, will create files (such as logfiles) that are owned by root. Changing the runtime user to a non-root user can cause jetty to fail because it tries to rewrite as the non-root user a file that is owned by root. For example <jetty-base>/logs/<YYYY>_<MM>_<DD>.jetty.log . Changing the owner of that file to the non-root user, or deleting it, is necessary to solve that problem.

And note that when jetty fails to start up because of these kinds of problems it will not write to a log (none is accessible, jetty isn't actually running), outputting merely Starting Jetty: FAILED <datetime> .

Answer 8

您所要做的就是更改/var/run/jetty目录的所有权： sudo chown -R jetty:jetty /var/run/jetty